How can I stop the caching of passwords?

General support questions
Post Reply
thefng
Posts: 1
Joined: 2020/06/29 20:19:42

How can I stop the caching of passwords?

Post by thefng » 2020/07/01 17:08:26

Environment: CentOS Linux release 7.5.1804 (Core) / domain-joined using PBIS to Windows domain
Goal: The goal is to prevent the caching of domain credentials (however they're stored). We will still maintain one or two local accounts that are cached, in the event offline administration is necessary.

I am at a loss. I am not experienced with CentOS or Linux in general, so I'm fumbling my way around.

authconfig --test shows

Code: Select all

caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "SAMBA"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
myhostname is enabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = "our.domain.corp"
 krb5 realm via dns is disabled
 krb5 kdc = ""
 krb5 kdc via dns is enabled
 krb5 admin server = ""
pam_ldap is disabled
 LDAP+TLS is disabled
 LDAP server = ""
 LDAP base DN = ""
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
SSSD smartcard support is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
 SMB workgroup = "SAMBA"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
 IPAv2 server = ""
 IPAv2 realm = ""
 IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_faillock is enabled (audit deny=5 unlock_time=900)
pam_mkhomedir or pam_oddjob_mkhomedir is disabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
The top line says caching is disabled, but further down, it says credential caching in SSSD is enabled. I attempted to alter/clear the SSSD cache with variants of the sss_cache command, but I'm met with "-bash: sss_cache: command not found". So I checked to see if the service was running with service sssd status, but I was met with "Unit sssd.service could not be found."

From that point I moved on to PBIS. I saw there's a PBIS config entry for CacheEntryExpiry. It was set to the default value of 14400 (seconds), so I set it to 5, logged off, waited a few minutes, rebooted the entire OS, and (with the NIC disconnected) was able to successfully log on with my domain credentials.

What piece(s) am I missing?

tunk
Posts: 726
Joined: 2017/02/22 15:08:17

Re: How can I stop the caching of passwords?

Post by tunk » 2020/07/02 09:50:20

Don't know what your problem is, but you may want to upgrade to 7.8.
7.5 has 1.5-2 years of accumulated security problems.

Post Reply

Return to “CentOS 7 - General Support”