Storing only a salted, hashed password for offline creds
abartlet at samba.org
Sun Aug 20 02:11:13 GMT 2006
On Sat, 2006-08-19 at 19:07 -0700, Jeremy Allison wrote:
> On Sun, Aug 20, 2006 at 11:57:50AM +1000, Andrew Bartlett wrote:
> > I should have been more clear. For the *offline* credentials cache
> > (where we want a user to log in to a disconnected laptop) we
> > could/should store only a salted hash, much like would be used
> > in /etc/shadow, as the user must present cleartext to login (which we
> > can then use for the puroposes of this patch and krb5 refresh).
> > This should prevent an attack in the 'stolen laptop' scenario.
> Ok, I'm not being clear either :-). The "cached credentials"
> I'm talking about here are mlocked in memory, never stored on
> disk. They're created once a user has successfully logged on
> via pam and stored in memory (in winbindd) until the machine
> is shut down. They're used for refreshing krb5 tickets and
> (now) for NTLMSSP auth with apps using the creds store for
> a particular uid as a single sign on mechanism (so the app
> doesn't have to re-ask for the password).
Understood, and great progress. BTW, if mlocking these into memory gets
too much, we could encrypt them, and only memlock the key.
> Offline auth is a different thing and is done by storing
> the nt_hash in the winbindd cache. They aren't currently
> stored as a salted hash - they definatey should be.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060820/62c950d0/attachment.bin
More information about the samba-technical