Storing only a salted, hashed password for offline creds

Jeremy Allison jra at
Sun Aug 20 02:07:05 GMT 2006

On Sun, Aug 20, 2006 at 11:57:50AM +1000, Andrew Bartlett wrote:
> I should have been more clear.  For the *offline* credentials cache
> (where we want a user to log in to a disconnected laptop) we
> could/should store only a salted hash, much like would be used
> in /etc/shadow, as the user must present cleartext to login (which we
> can then use for the puroposes of this patch and krb5 refresh).
> This should prevent an attack in the 'stolen laptop' scenario.

Ok, I'm not being clear either :-). The "cached credentials"
I'm talking about here are mlocked in memory, never stored on
disk. They're created once a user has successfully logged on
via pam and stored in memory (in winbindd) until the machine
is shut down. They're used for refreshing krb5 tickets and
(now) for NTLMSSP auth with apps using the creds store for
a particular uid as a single sign on mechanism (so the app
doesn't have to re-ask for the password).

Offline auth is a different thing and is done by storing 
the nt_hash in the winbindd cache. They aren't currently
stored as a salted hash - they definatey should be.


More information about the samba-technical mailing list