Hello!
We are deploying SSSD for authentication with an LDAP backend, and we are getting pushback from our Security colleagues about using SSSD to cache user credentials..
I would like to have some documentation to show them how this cache is kept secure...where can I find information to support this?
Thanks!
K.
I would recommend your security department to instead of focusing on Linux/SSSD to take a look at Windows/lsass - Windows is caching user credentials as well and it's not a problem for them? O.
-----Original Message----- From: q8ztvkkd@posteo.de [mailto:q8ztvkkd@posteo.de] Sent: Thursday, August 09, 2018 11:51 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] SSSD cache security
Hello!
We are deploying SSSD for authentication with an LDAP backend, and we are getting pushback from our Security colleagues about using SSSD to cache user credentials..
I would like to have some documentation to show them how this cache is kept secure...where can I find information to support this?
Thanks!
K. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
Hello K.,
SSSD implements 2 different caching options, one to allow offline logins, and one to allow to grab a kerberos ticket after offline login, once a KDC is reachable, this second option is krb5 specific.
To allow offline logins, after a successful authentication attempt against a remote server, the user password is hashed with a strong hash and stored in a dedicated database that is accessible only by SSSD.
The password is never stored on disk in the clear and is not directly accessible to users, only root can retrieve the hash, which then has to be brute forced.
To allow acquiring an online krb5 ticket when authentication happened offline, you can optionally turn on credential caching. In this case the actual user password is stored securely in the kernel keyring. Only SSSD can access it and the password is removed permanently as soon as a ticket is successfully acquired or the server returns an authentication error that indicates the credentials are invalid (may happen if the user changes their password via a second device, while the first is offline). In this case the password is protected by the kernel in memory and is never swapped to disk.
HTH, Simo.
On Thu, 2018-08-09 at 11:50 +0200, q8ztvkkd@posteo.de wrote:
Hello!
We are deploying SSSD for authentication with an LDAP backend, and we are getting pushback from our Security colleagues about using SSSD to cache user credentials..
I would like to have some documentation to show them how this cache is kept secure...where can I find information to support this?
Thanks!
K. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
On 8/9/18 11:50 AM, q8ztvkkd@posteo.de wrote:
We are deploying SSSD for authentication with an LDAP backend, and we are getting pushback from our Security colleagues about using SSSD to cache user credentials..
I would like to have some documentation to show them how this cache is kept secure...where can I find information to support this?
The sssd developers can answer the technical details in a much better way.
But I'd recommend to consider your real requirements:
My customer is running sssd on ~ 15000 servers in various data centers (backed by an user management based on OpenLDAP based).
The admins are telling me that for them password caching is not useful at all. Because e.g. if the network is down they cannot access the hosts anyway and are just lurking in a telco until the network guys fixed the issue.
And even if they can access their hosts it's very unlikely that the admin on duty has used his password on a automatically installed host before. So enabling password caching does not help in this case either.
Thus for me the only reasonable use-case for password caching is user login at normal laptops. So they can re-login later while being off-line during a travel.
Of course YMMV especially since you did not mention details about your deployment. The above is just meant as food-for-thought.
Ciao, Michael.
sssd-users@lists.fedorahosted.org
-
Michael Ströder -
Ondrej Valousek -
q8ztvkkd@posteo.de -
Simo Sorce