[lopsa-discuss] credmgr - securely manage privileged account credentials via shamir secret sharing

Mon, 25 Jun 2012 03:01:50 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, y'all -

Do auditors ever ask you how you manage privileged access for generic shared
accounts (root, Windows Domain Admin, etc)? If the answer is "yes", read on.

I made a tool that solves the "root password in an envelope in a safe"
problem. It's called credmgr. It's still a bit rough around the edges but it
works nicely.

credmgr [0]:

  - generates a random password in memory (of configurable length and
    complexity)

  - generates hashes (salted, of course!) from that cleartext password (still
    in memory) in any hash format passlib supports, including BCrypt, PBKDF2,
    and SHA-512 - plus many [1] more.

  - shards the cleartext using shamir sharing [2] so that the cleartext is
    recoverable by joining back together a configurable fraction of the shards

  - emails these shards to their respective shard-holders (encrypted to the
    shard-holder's individual gpg pubkey) along with contact details for the
    other shard holders and instructions for how to reassemble the cleartext

  - outputs all the requested password hash formats for deployment

I looked around and didn't see another tool like this but Murphy's Law says
I've just tried to build a better mousetrap. Anyway, I thought some of y'all
could use such a thing. Curious to hear feedback...

[0]: http://github.com/treyka/credmgr
[1]: http://packages.python.org/passlib/lib/passlib.hash.html
[2]: http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
Trey Darley - Principal
gpg fingerprint: C2AD E2A8 440C 8785 1958 B6DA 4176 9233 8F6D 8AF0
++--------------------------------------------------------------------------++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk/oNqsACgkQQXaSM49tivCufgCfQnMdtts6xU+KoLzDm0Kt/WXW
EgsAn0yVA6WuQPP2RV9Lf1w819moW7VU
=JY4a
-----END PGP SIGNATURE-----
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to