- SSSD does not support getspnam calls - hence getent shadow returns nothing for ldap/other backend users via sssd - more info Redhat bugzilla
- SSSD always returns asterisk (*) in password field. Looking at source it's hardcoded to *, but could be overridden via 'pwfield' parameter in [nss] section https://git.fedorahosted.org/cgit/sssd.git/tree/src/responder/nss/nsssrv.c#n52
Quoted text from this link, explaining how sssd caches password info
One of the reasons people used to use the shadow map was to expose the encrypted password so that cached passwords were available for all users. Our mechanism for caching passwords is different. We don't acquire the user's password from LDAP and then authenticate locally. Instead, we communicate with LDAP or Kerberos and ask it whether the provided password authenticates correctly. If it does, we hash the password locally and then it can be used for offline authentication when the authentication server is unreachable. So with SSSD, cached passwords only work for users that have logged in at least once previously. This significantly reduces the vulnerability to offline dictionary attacks on arbitrary users. (Which was a serious problem with shadow map passwords).
No comments:
Post a Comment