Slashdot Mirror
Cross-platform Password Management?
Martin Blank writes "I work in a NOC, and one of the debates you will find in any strongly-mixed environment like this is preferred OS. We have people who prefer Windows, some who like Linux, and some who do almost everything on Solaris boxes. However, this also means that much software is not available over all three. With all of the servers, routers, and various other protected systems we have, the sheer quantity of passwords is mind-bogglingly difficult to keep track of in a secure fashion. Are there any packages out there right now running on at least Windows and Linux, and preferably also Solaris, that can access a central password file?"
Create a box running Apache SSL and have it firewalled / protected like crazy and locked down with LIDS or the NSA patches to linux. Use this box as the "password server" and have access to each and every password logged. And have each NOC employee be part of access groups that say "router access" or "colo access" or something so they can ONLY access data available for their group.
On the logging tables in the database, make sure they aren't readable or writeable by the web-user. They should only allow INSERT queries.
This might be the best way.
x
Ever need an online dictionary?
Have you looked into using smartcard technology.
I realise it isn't very pratical adding smart card readers to every machine..but im just starting to look into smartcards on *nix and the msucle project seems to suggest that you can roll smartcard verification into your login procedure.
http://www.linuxnet.com/apps.html
I'm just psyched that i got my citbank serial port smartcard reader up and running under the pscsd smart card daemon. Now i can play around with this very idea.
-jef
If you have an existing *nix net Samba would probably be the way to go.
Other benifits include a centralized "Share" so all your machines could easily mount the same drives, and centralized printing (You don't need samba for this unless your network prints from the windows network) Check it out, the new versions also support encyrpted passwords...
Just my 2cents
101010b 2Ah 52o
In the past I have very sucessfully used PGP for password management. I set up a shared fileserver (in our case it was an NT server, but it could easily be Samba or NFS), then create a text file with all the passwords in it, encrypted against everyone's public key. All users were then able to access these since since PGP was (and still is) available on multiple platforms.
_______
2B1ASK1
I think Pat Jensen has really got some good advice here. At SST, we're slowing moving to a "universal login" system for our Web sites. There are about 5 internal & external sites, each requiring different usernames & passwords. Our solution is to set up a MySQL database with login data and nothing more, and then each Web site will check for a cookie (MD5 hash with IP addy, so the cookie is difficult to spoof). Since all our sites operate under sst.com, they should all be able to view the cookie and verify it.
However, and as an inevitable side-effect, people are now asking why we can't use that same system for NT logins and Outlook and yadda yadda. If we had chosen LDAP, this would have solved the issue, as LDAP can be plugged into a bit more than MySQL can. We will still do this, it just means we have to revise, revise, revise. I have yet to look into how well PHP and ASP support LDAP, and just how much LDAP can do, but it appears to be much more in line with our needs. Can anyone speak definitively about what PHP and ASP and NT and Outlook can do with LDAP?
My Greasemonkey scripts for Digg &
And how do you propose to keep the database entries secure? If you attempt to encrypt the database, you have to store a decryption token for that somewhere, which leaves you back at sharing that with everyone, or writing it down on a sticky next to your monitor. You can't hash a traditional database, because you can't authenticate against it in most cases, especially not when we're talking about trying to secure an enterprise wide solution (or even possibly larger).
Single Sign On isn't the answer either -- if people know the password, then someone else can figure it out, and having the same password for every resource then leaves your enterprise in the same state it was before. Imagine your Network/Server Architect out at a bar getting liquored up one night, and then tell me that one password for all your devices is a good idea.
The **BEST** solution is something like a SecurID token -- you take something you know (A pin number) and combine it with something you have (a 6 digit random number provided w/ your securID token) to create a one-time use password. If someone has your token, they still need to know your PIN, and if they have your PIN they still need your token.
I see many folks saying to stick with just kerberos, or just LDAP or even Active Directory. I work at a largish university and had to come up with a roll your own solution a while back mainly due to political reasons (the NT group would only use Active Directory, the UNIX guys wanted Kerberos, the dialup used Cisco Secure, other systems stored digested passwords in an oracle table, some things required LDAP, etc., etc.) What we decided on, and what I wound up writing was a bunch of perl code to synchronize ALL of these different schemes. We have upwards of 50k users, and we've been using this for 3 years now with no problems.
Then again, this is a university where we basically provide services that faculty request and we don't have the luxury of not using software x because it uses authentication scheme y and we only support authentication scheme z. If you have a situation like this, it isn't that difficult to come up with the glue you need.
Well, get 1 thumb scanner, one retina scanner , get both systems to generate one signature and find a crative way of mixing the numbers (Prime Exponential is good 8)
...(actually seen at the workplace... Pass server down. Please have a cup of coffee 8)
if this third number correspond, give access.
Retina + Thumb scan supported under Linux (Unixs) and Windows.
Just a bit steep on the budget part, but damn efficient.
Oh yes. Get at least TWO redundant password / verification servers, if possible one offsite.
Why ? Gess 8) a whole company unable to connect because one poor server went dead
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
Password management like this is a nightmare. Some of the options suggested (LDAP, SecurID etc) rely upon the system you are accessing being able to talk to an external authentication system of some sort.... which means you're up a certain creek in a chickenwire canoe if that facility isn't working.
SSH with RSA keys. Change the management problem into the simpler (and more scalable) one of managing RSA public keys on the boxes (which can be automated).
Job jobbed.
Even if you can control the logins on the major operating systems, your users will still encounter other passwords everywhere. I think rather than trying to control the uncontrollable, a better solution is to get them Palm Pilots with encrypting password managers.
is your friend. LDAP could be your friend as well, but the adoption of NIS by the major unices, and it's strong connection with NFS make it an ideal solution for one login/passwd for multi-server authentication, and email.
we used to authenticate via NIS+(before we were purchased and told we were going to LDAP, still waiting after three years, but that's another story...) and i loved it! we were a prepress company with 6 seperate locations and several dozen servers scattered thru out the enterprise serving appletalk, email, home directories, and data collection. no matter which location you were at, you could use your single login/passwd to login to any other server, mount you home dir, and go about your business.
it took a bit of end user training(users wanting to save their mail on local drives instead of home directories, among other issues) but it was well adopted, and easy to maintain thru sun's solstice frontend.
the environment was hetrogeneous(solaris, aix, irix, linux, nt, macintosh) and all machines authenticated nicely, with the exception of earlier windows machines. had we deployed samba we would have had an easier time.
beware the difference of NIS and NIS+: NIS+ was sun's "updated" version of NIS. NIS is far more open and friendlier than NIS+... the irix and linux boxes preferred plain NIS.
the best benefit was the ease of administering the end users. one entry change propogated thru all machines... no more rushing from box to box when someone was getting canned. user can't remember email and filesharing password? no problem.
wan to migrate to LDAP cause NIS doesn't have everything you need? no problem with that too, tools exist for easy migration.
three can keep a secret, if two are dead - benjamin franklin
This is what I do for a living...full time.
First, you need a repository for all the authentication and authorization info. Novell eDirectory is the best choice for many reasons. One of the best reasons is because eDirectory can store information that not even the directory admin can access....it's possible to build system that the admin can't compromise.
Second, you need a variety of ways to access this information. The common ones are PAM modules, direct LDAP calls, redirection modules, NIS redirection, RADIUS, RACAF, TACACS+, Screen scraping/keyboard stuffing, SecureID interface, and biometric interfaces.
Third, you need a way to synchronize with legacy systems that can't be bypassed using one of the above methods. DirXML is one of the best ways to make this happen.
JC
JWCOMBS@LDAPEXPERTS.COM
Use a phrase to generate a suitable password. Try and use a phrase that has something to do with the system. For example, a server at a company office. "This building has 8 floors and 3 elevators" could generate "tbh8fa3e". Not bad. We can improve it by adding caps and some substitution: "TBh8f&3e". Now we have a password with mixed case, alpha-numerics, and non-alpha-numeric characters with a random appearance. And it has meaning to the user in the form of a phrase that can be remembered and repeated to regerate the password.