Storing only a salted, hashed password for offline creds

Andrew Bartlett abartlet at
Sun Aug 20 02:11:13 GMT 2006

On Sat, 2006-08-19 at 19:07 -0700, Jeremy Allison wrote:
> On Sun, Aug 20, 2006 at 11:57:50AM +1000, Andrew Bartlett wrote:
> > 
> > I should have been more clear.  For the *offline* credentials cache
> > (where we want a user to log in to a disconnected laptop) we
> > could/should store only a salted hash, much like would be used
> > in /etc/shadow, as the user must present cleartext to login (which we
> > can then use for the puroposes of this patch and krb5 refresh).
> > 
> > This should prevent an attack in the 'stolen laptop' scenario.
> Ok, I'm not being clear either :-). The "cached credentials"
> I'm talking about here are mlocked in memory, never stored on
> disk. They're created once a user has successfully logged on
> via pam and stored in memory (in winbindd) until the machine
> is shut down. They're used for refreshing krb5 tickets and
> (now) for NTLMSSP auth with apps using the creds store for
> a particular uid as a single sign on mechanism (so the app
> doesn't have to re-ask for the password).

Understood, and great progress.  BTW, if mlocking these into memory gets
too much, we could encrypt them, and only memlock the key. 

> Offline auth is a different thing and is done by storing 
> the nt_hash in the winbindd cache. They aren't currently
> stored as a salted hash - they definatey should be.


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list