On Mon, 25 Jun 2012, Trey Darley wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi, y'all -
Do auditors ever ask you how you manage privileged access for generic shared
accounts (root, Windows Domain Admin, etc)? If the answer is "yes", read on.
I made a tool that solves the "root password in an envelope in a safe"
problem. It's called credmgr. It's still a bit rough around the edges but it
works nicely.
credmgr [0]:
- generates a random password in memory (of configurable length and
complexity)
- generates hashes (salted, of course!) from that cleartext password (still
in memory) in any hash format passlib supports, including BCrypt, PBKDF2,
and SHA-512 - plus many [1] more.
- shards the cleartext using shamir sharing [2] so that the cleartext is
recoverable by joining back together a configurable fraction of the shards
- emails these shards to their respective shard-holders (encrypted to the
shard-holder's individual gpg pubkey) along with contact details for the
other shard holders and instructions for how to reassemble the cleartext
- outputs all the requested password hash formats for deployment
I looked around and didn't see another tool like this but Murphy's Law says
I've just tried to build a better mousetrap. Anyway, I thought some of y'all
could use such a thing. Curious to hear feedback...
[0]: http://github.com/treyka/credmgr
[1]: http://packages.python.org/passlib/lib/passlib.hash.html
[2]: http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
There are a few tools around for managing root passwords, the one I'm
currently using is Hitachi-ID Privileged Access Manager. It's very
flexible, and (in enterprise software terms) relatively cheap. The biggest
headache with it is that in an all-unix datacenter, hitachi-id requires
windows servers, however you can lock them down and block all network
traffic except what Hitachi needs (which does not include any of the
windows protocols, unless you use those protocols to manage passwords)
Quest also has a product that they aquired though e-dmz (I don't know it's
current name), and there are a few others I've run across.
So far I think you are focusing on the wrong end of the problem.
You don't need to get that fancy when you are storing the password, either
you have a set of systems that you can trust to hold the passwords (or
fragments of the passwords), in which case you can do fairly simple
encryption of the passwords, or the same admins you are trying to protect
against have access to everything, and the only thing your complex scheme
is buying you is making it be more work to assemble the passwords.
the more important area for normal passwords are making the password
changes reliable.
this includes:
automating password changes
making sure that there is zero chance of a password getting changed, and
the new password being lost (including replicating to multiple
geographicly distributed machines so a fire can't take out your password
store)
auditing passwords (i.e. is the hash still what you expect, or did someone
change it outside the system)
auditing release of the password (who got the password when, and who
approved it)
changing the password when the admin is done with it.
keeping a history of old passwords so that if you restore from backup you
can figure out what password you need to access the restored system.
bonus points if you can arrange ways for the admins to use the password
without actually seeing it (won't work for systems that are not on the
network but there are various things you can do if the systems are
accessable)
The only part of this that is really tricky is the part where you make
sure that there is zero chance of a system crash or fire causing you to
end up with a password change that takes place without you having the
password available.
all that being said, there are times when you really do want to fragement
the password so that you have to have N of M people available to assemble
it, but such situations are really pretty rare. You may want to use
something like that for booting a password management system (assembling
an encryption key in memory that is used for everything else), but you
really don't want to have to go through that sort of hassle on any sort of
routine basis. (unless you are running a CA or something along those
lines)
David Lang
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
