Return
-
Title
How and where does QAS store Active Directory passwords for disconnected user authentications? -
Description
How and where does QAS store Active Directory passwords for disconnected user authentications?
-
Resolution
Standard disconnected mode
No passwords are stored by the client. Instead, it stores a SHA1 salted hash of the password in a root-only readable file, in a root-only readable directory (the hash is stored/updated whenever the user does a logon when AD is available).
When in disconnected mode, after 30 consecutive incorrect attempts against the hash the hash is securely removed (Overwritten with zeros and then deleted).You can view the stored hashes of user passwords by running the following command as root:
# /opt/quest/libexec/vas/sqlite3 /var/opt/quest/vas/authcache/vas_auth.vdb "select * from authcache"
Users configured for "permanent disconnected" mode
This treats the User as a Service, and acquires a ticket for the host/ object to access that service, with the minimum lifetime (2 minutes), and stores that in a root-only credential cache. When a user tries to log on and AD is unavailable, QAS uses the password to generate an arcfour key, which is used to attempt to decrypt the encrypted portion of the ticket, if it decrypts and validates, then QAS allows the user access. -
Additional Information
The 30 incorrect attempts can be configured in vas.conf. In older versions of QAS this value defaulted to 5. Also, although by default cached credentials never expire an expiration period can be set as well. These are the relevant vas.conf options.
password-cache-age = <integer (days)>
Default value: 0QAS allows disconnected mode authentication with locally cached password hashes. These hashes are cached anytime a user logs in, but they are only good for a limited amount of time. Every 24
hours vasd will check all hashes in the authentication cache. If any of these hashes have a time stamp older than the password-cache-age, they are removed from the authentication cache and
disconnected authentication will fail for that user. The password-cache age is specified in days. For example, to change the password-cache age to 5 days, change the option as follows:[vas_auth]
password-cache-age = 5
bad-password-max = <integer>
Default value: 5When QAS handles disconnected authentication, it enforces its own internal password policy on invalid login attempts in order to prevent brute-force attacks on passwords in disconnected mode. If
a user has the configured number of consecutive failed login attempts, then the QAS authentication modules will delete their cached authentication credentials. This will completely disable
disconnected authentication for the given user. This option applies to both normal disconnected authentication and persistent disconnected authentication. To set the maximum number of invalid
authentication attempts to 10, do the following:[vas_auth]
bad-password-max =10