Storing only a salted, hashed password for offline creds

Jeremy Allison jra at
Sun Aug 20 03:54:34 GMT 2006

On Sun, Aug 20, 2006 at 11:57:50AM +1000, Andrew Bartlett wrote:
> I should have been more clear.  For the *offline* credentials cache
> (where we want a user to log in to a disconnected laptop) we
> could/should store only a salted hash, much like would be used
> in /etc/shadow, as the user must present cleartext to login (which we
> can then use for the puroposes of this patch and krb5 refresh).
> This should prevent an attack in the 'stolen laptop' scenario.
> We could use the hash format we use for the LDAP password history, or
> perhaps a *variation* on the format used for AES krb5 (but it must be a
> variation, to avoid it being a plaintext-equivalent).

I've now changed the offline cred cache to do just that (use
the salted hash format we use for LDAP password history).

Thanks for your advice on this,



More information about the samba-technical mailing list