(This is a bit off topic, but I though might be helpful to some developers,
it deals more with security concepts than PHP per se)
I may be going out on a limb here, but I doubt you'll find something in the
GPL/open source domain.
we've built our own and pretty much does what you've described (used to work
for a bank I did)
If I could help to put you on the right track in terms of design, what
you'll need is not just a password system, sounds like you want a authority
system, with groups roles. You really want to design a system that relies
on resource objects for authentication and authorisation. Also to complete
the security jargon, encryption and non-repudiation (mostly means logging
auditing)
If you want to look at something that W3C is working on, try SAML, the
security assertion markup lang... but it's in draft last time I looked, and
that deals with authority and authentication. and it's all markup-ish and
xml-ish of course ;-) There should be some tools based on SAML out there, I
haven't looked, possibly not in PHP though.
Back to building it: Think of authentication not only as a passwords,
there's PIN authentication, there's token authentication, (one use tokens or
multi-use tokens) and also digital certs, smart cards, RPGs (random
password/pin gens ala SafeWord), etc (ie, password types)
Then you need to ask, can a user with the right password access this
resource? Does he need a password AND a cert? Does this bank account need
two authorisers to sign off before you allow the money transfer?
Of course one way crypt passwords are a must, but that's so simple it's a
given.
The above are just some things to think about before you embark on you quest
to find the solution :) And it really depends what you want to do and how
robust your solution needs to be.
I can give you a few pointers if you want to take the discussion offline and
email me.
Daevid Vincent [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
I'm in search of an 'enterprise level' password storage system.
I have looked at phpMyPass and it looks promising, but the demo doesn't seem
to have everything I want.
http://freshmeat.net/releases/127316/
While this one says v2.0
http://www.phpmypass.paniris.com/
Says 1.0 ??
I need it to be multiuser, have different security levels/access, encrypt
and decrypt on the fly (phpmypass has all the passwords in the rendered HTML
page :-( ), grouping of passwords (i.e. 'internal servers', websites, banks,
clients sites, personal, etc).
Ideally it should use mod_auth_mysql for security. The storage should be
encrypted so that even root can't see the passwords in the database without
the decryption key. Perhaps use a strong crypto algorithm for the important
fields, not just the pw.
I'd like to store: common name, url, username, pw, notes, incept date, last
mod date at least.
I could build this myself, or I could take phpMyPass and run with it, but I
thought I'd see if there were anything else out there before I build this.
http://daevid.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
