On Tue, 15 Jun 2004 04:56, andrew lattis <[EMAIL PROTECTED]> wrote: > currently i've got an ever growing password list in a plain text file > stored on an encrypted loopback fs, this is getting cumbersome... > > figaro's password manager (package fpm) looks nice and uses blowfish to > encrypt data but i can't find anything showing any type of third party > audit. > > what does everyone else use to keep track of all there passwords?
OS/X from Apple has a password manager program, it allows passwords to be made available to applications for certain time periods (not sure how this is supposed to work as the application could just write it to disk). I think that an ideal password management scheme would be mediated by a SGID application (SGID so that it can access storage unavailable to regular user processes and so that it can't be ptraced). Password storage would be either in a file owned by the user that is mode 0600 under a mode 1770 system directory with group ownership being the group that the management program is SGID to, or a regular file in the home directory that is encrypted (requiring a password authentication for the first login of the day or something similar). The password management system would need to have helpers for managing passwords that would be called by the application. For example there would be POP and IMAP helpers which would establish a connection to the mail server, authenticate, and then use a unix domain socket to pass the file handle for the TCP socket back to the calling application (so the MUA would never be able to recover the password). -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page