There are two products I have worked with that seem like they solve this
problem
both change the password on a scheduled basis and have an approval
workflow for the password to be revealed when needed (and then change the
password again afterwords)
the first is the product that is now Quest Privilaged Password Manager
(purchased as part of buying e-dmz, I used the re-branded version called
Power Keeper from Symark). This is an appliance based solution running
windows and while it's full of great ideas, the implementation stinks. For
example, they have a boot-time password that must be entered before you
can do anything to the system, but there is no way to change the password
and it is the same on every appliance ever shipped. When I had it, the
pricing was rather high.
The Second product is also called Privileged Password Manager and is from
Hitachi-ID. This is a software package and not only is it priced far less
than the first one, it's also significantly more flexible. It runs on
Windows (not good), but allows you to lock the system down so that the
only ports the system listens on are the port used by the app for syncing
and port 443 for the webserver. It support using either IIS or Apache as
the webserver and either MSSQL or Oracle for the database. Their price is
a flat fee plus a price for each account managed (root on 3 servers is 3
accounts). They do not charge you more to run more servers (to provide
redundancy, disaster recovery, etc), and the software is smart enough that
you can have systems on a network that are not reachable by some of the
master systems and it will figure out how to change the passwords on
everything properly.
I was able to by the Hitachi-ID software and servers to run it on for less
money than I was paying for the annual maintinance of the Symark
appliances.
David Lang
On Tue, 1 Nov 2011, Mathew Snyder wrote:
Date: Tue, 1 Nov 2011 22:10:34 -0400
From: Mathew Snyder <[email protected]>
To: Edward Ned Harvey <[email protected]>
Cc: LOPSA Tech <[email protected]>
Subject: Re: [lopsa-tech] Password management
"One use" is probably misleading. We have a requirement by our
contracting agency to expire ALL passwords every 60 days. This
includes service/application accounts and root. We are still working
out how to do this, but it seems that we have found a reasonable
compromise that is more commonly used (at least for root access). That
is to simply change the root password once it has been accessed in
whatever method it is stored (printed on paper and stored in a safe or
an app similar to KeePass, for example).
We do not allow root login remotely (SSH is our only enabled remote
method). root can only log in via the console. Should anyone try to
simply su to root, its password is required. sudo is not configured
for the target accounts password so each user's password is used for
that.
Ideally, I would like something that enforces changing the password
once it's been accessed rather than simply marking it as used and an
entirely new entry be made which is what KeePass does with its TANs.
Individual user accounts are configured to expire using chage which
meets that requirement in a simple manner. However, as we also have no
need to access root directly except in the case of emergency, using
chage sets an unnecessary requirement to log in regularly to every
server just to change the password every 60 days. Hence, the desire
for what I can't think of any other way to describe except as "one
use".
I'll take a look at that serverfault question first. Thanks, Matt. As
for the two-factor options, while we are required to have one in place
for certain things such as VPN access, we aren't required to have it
for server access and it would simply be too much overhead to deal
with on our little team. Thanks for the suggestion, though.
-Mathew
"When you do things right, people won't be sure you've done anything
at all." - God; Futurama
On Tue, Nov 1, 2011 at 9:42 PM, Edward Ned Harvey <[email protected]> wrote:
From: [email protected] [mailto:[email protected]]
On Behalf Of Mathew Snyder
I'm trying to find a suitable password management application. The
primary need is to allow for one-use passwords for root. I installed
How does one implement single-use passwords? There must be some kind of
application you installed that regularly changes the root pass or something.
They must have some way of securely communicating to some strictly
authorized users what their one-time-use password will be this time. How
does the solution not avail itself naturally through this process?
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Tech mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
