Slashdot Mirror


Cross-platform Password Management?

Martin Blank writes "I work in a NOC, and one of the debates you will find in any strongly-mixed environment like this is preferred OS. We have people who prefer Windows, some who like Linux, and some who do almost everything on Solaris boxes. However, this also means that much software is not available over all three. With all of the servers, routers, and various other protected systems we have, the sheer quantity of passwords is mind-bogglingly difficult to keep track of in a secure fashion. Are there any packages out there right now running on at least Windows and Linux, and preferably also Solaris, that can access a central password file?"

10 of 318 comments (clear)

  1. The best method might be simple ... by x-empt · · Score: 4, Interesting

    Create a box running Apache SSL and have it firewalled / protected like crazy and locked down with LIDS or the NSA patches to linux. Use this box as the "password server" and have access to each and every password logged. And have each NOC employee be part of access groups that say "router access" or "colo access" or something so they can ONLY access data available for their group.

    On the logging tables in the database, make sure they aren't readable or writeable by the web-user. They should only allow INSERT queries.

    This might be the best way.

    x

    --
    Ever need an online dictionary?
  2. Smartcard systems? by jspaleta · · Score: 3, Interesting

    Have you looked into using smartcard technology.
    I realise it isn't very pratical adding smart card readers to every machine..but im just starting to look into smartcards on *nix and the msucle project seems to suggest that you can roll smartcard verification into your login procedure.
    http://www.linuxnet.com/apps.html

    I'm just psyched that i got my citbank serial port smartcard reader up and running under the pscsd smart card daemon. Now i can play around with this very idea.

    -jef

    1. Re:Smartcard systems? by jspaleta · · Score: 3, Interesting

      the project name is about as relevant as the misnamed linuxprinting.org website

      read muscle frontpage
      http://www.linuxnet.com/

      Linux is the targeted development platform....but the goal is have a framework portable across the unix based OSes: Linux, MacOS X and Solaris are all mentioned right up front....they even offer binaries for Solaris 8 on sparc for the base pscs software.

      The license for the pcsc-lite package that they offer is a BSD variant i believe....perfect for a reference implementation across ALL the unix based OSes out there.

      I think the windows world already has a large collection of cardreader software supplied by vendors...so taking care of the windows boxen would probably not need any software like this at all..since you probably get the cardreeader software for windows with the device.

      -jef

    2. Re:Smartcard systems? by jspaleta · · Score: 3, Interesting

      I've looked at the keychain usb devices before...but i thought th at market was moving towards portable data storage with ~100MB type storage...and not something meant primarily for small file storage like password storage.

      And are those usb devices supported on Solaris?

      I think smartcard/usb-keychain decisions come down to price-feature ratio. If you want real portable storage for files and what not the usb devices are the way to go...if you just want to keep passwords or cyptokeys/sigs then smartcards might be cheaper to implement.

      I'd also be concerned about support for the usb devices on the Unixes...
      But i havent seriously looked into it...since I dont have a real need for this stuff personally.
      My citibank smartcard reader was FREE. so getting it working under linux was a nice bonus.

      -jef

  3. PGP by eyeball · · Score: 3, Interesting

    In the past I have very sucessfully used PGP for password management. I set up a shared fileserver (in our case it was an NT server, but it could easily be Samba or NFS), then create a text file with all the passwords in it, encrypted against everyone's public key. All users were then able to access these since since PGP was (and still is) available on multiple platforms.

    --

    _______
    2B1ASK1
  4. Re:LDAP by Anthony+Boyd · · Score: 5, Interesting
    LDAP is very scalable with an extensible schema, and can provide support for more then usernames and passwords.

    I think Pat Jensen has really got some good advice here. At SST, we're slowing moving to a "universal login" system for our Web sites. There are about 5 internal & external sites, each requiring different usernames & passwords. Our solution is to set up a MySQL database with login data and nothing more, and then each Web site will check for a cookie (MD5 hash with IP addy, so the cookie is difficult to spoof). Since all our sites operate under sst.com, they should all be able to view the cookie and verify it.

    However, and as an inevitable side-effect, people are now asking why we can't use that same system for NT logins and Outlook and yadda yadda. If we had chosen LDAP, this would have solved the issue, as LDAP can be plugged into a bit more than MySQL can. We will still do this, it just means we have to revise, revise, revise. I have yet to look into how well PHP and ASP support LDAP, and just how much LDAP can do, but it appears to be much more in line with our needs. Can anyone speak definitively about what PHP and ASP and NT and Outlook can do with LDAP?

  5. good luck by Chundra · · Score: 5, Interesting

    I see many folks saying to stick with just kerberos, or just LDAP or even Active Directory. I work at a largish university and had to come up with a roll your own solution a while back mainly due to political reasons (the NT group would only use Active Directory, the UNIX guys wanted Kerberos, the dialup used Cisco Secure, other systems stored digested passwords in an oracle table, some things required LDAP, etc., etc.) What we decided on, and what I wound up writing was a bunch of perl code to synchronize ALL of these different schemes. We have upwards of 50k users, and we've been using this for 3 years now with no problems.

    Then again, this is a university where we basically provide services that faculty request and we don't have the luxury of not using software x because it uses authentication scheme y and we only support authentication scheme z. If you have a situation like this, it isn't that difficult to come up with the glue you need.

  6. Dont use passwords.... by Llanfairpwllgwyngyll · · Score: 4, Interesting

    Password management like this is a nightmare. Some of the options suggested (LDAP, SecurID etc) rely upon the system you are accessing being able to talk to an external authentication system of some sort.... which means you're up a certain creek in a chickenwire canoe if that facility isn't working.

    SSH with RSA keys. Change the management problem into the simpler (and more scalable) one of managing RSA public keys on the boxes (which can be automated).

    Job jobbed.

  7. it's a losing battle by mmusn · · Score: 3, Interesting

    Even if you can control the logins on the major operating systems, your users will still encounter other passwords everywhere. I think rather than trying to control the uncontrollable, a better solution is to get them Palm Pilots with encrypting password managers.

  8. The Passphrase Method by _Sprocket_ · · Score: 4, Interesting


    2.passwords should look like they were randomly generated (esp. no English words)

    ...

    ...there is no way I can memorize a 10+ randomly generated strings. Aren't security experts being a little hypercritical?


    Use a phrase to generate a suitable password. Try and use a phrase that has something to do with the system. For example, a server at a company office. "This building has 8 floors and 3 elevators" could generate "tbh8fa3e". Not bad. We can improve it by adding caps and some substitution: "TBh8f&3e". Now we have a password with mixed case, alpha-numerics, and non-alpha-numeric characters with a random appearance. And it has meaning to the user in the form of a phrase that can be remembered and repeated to regerate the password.