Cross-platform Password Management?

Martin Blank writes "I work in a NOC, and one of the debates you will find in any strongly-mixed environment like this is preferred OS. We have people who prefer Windows, some who like Linux, and some who do almost everything on Solaris boxes. However, this also means that much software is not available over all three. With all of the servers, routers, and various other protected systems we have, the sheer quantity of passwords is mind-bogglingly difficult to keep track of in a secure fashion. Are there any packages out there right now running on at least Windows and Linux, and preferably also Solaris, that can access a central password file?"

Kerberos

[Anonymous Coward]

Look into Kerberos. About the only thing that has kept us from going full Kerberos is the lack of support on the Windows commercial SSH client (the one from ssh.com). It might even be there now, I don't know. I think some of the free clients support it though...?

LDAP and Novell

[dadragon]

My school (Mount Royal College) uses a LDAP database to store the user's passwords. It works with all their windoze boxes (95,98,NT,2000) AND their Red Hat system they teach programming on.

Might be worth a look. They use PAM on Linux, and Novell client on Windows, and the mac.

LDAP

[PatJensen]

Any UNIX that supports PAM (Solaris, Linux, etc) can authenticate against Kerberos or LDAP. Both are also supported by Windows-based OS's and servers. LDAP is very scalable with an extensible schema, and can provide support for more then usernames and passwords. For dial access services, LDAP can also be integrated with RADIUS or TACACS.

Have fun.

Pat

kerberos

[gtdistance]

At University of Michigan they use kerberos for (almost) everything. Basically only the kerberos server has the passwords. I believe that when you want to log into a machine you actually get a ticket from the kerberos server, and the ticket is what is used for authentication.

As a user I find it pretty convenient. I think it's pretty straightforward from an admin standpoint too, but I wouldn't know from experience.

Single Sign-On

[Reknamorken]

I don't think it's 100% clear what the answer is yet. I've seen some attempts at this using LDAP, but it can become quite messy. For example, if you want to tie routers into it you'll need to integrate LDAP with Radius/TACACS.

Suprisingly, it seems that almost everything out there has Kerberos support these days. I'm going to start an experiment soon to see how well this works with Windows, but some of the websites seem to indicate that there is a reasonable amount of cross-functionality.

Does anyone else have actual experience implementing Kerberos in a mixed Unix/Windows environment?

Samba

[dousette]

Samba should be able to do it, from what I've heard, though I've never personally set it up before to do that.

Re:The best method might be simple ...

[__past__]

How exactly does one use a web server as a "password server"?

RSA SecurID

[Gunfighter]

I just attended a network security seminar at a small university in Virginia this past week. I manned the booth for my company, but between rush times I spent most of my time speaking with the people (sometimes competitors) from other booths. One of the engineers at another booth was kind enough to give me an RSA SecurID demo box with two key fobs and all the software I needed to set up a server.

Within an hour of arriving back at my hotel room, I had the software up and running (had to download the Win2K agent from the RSA website), and my login to my laptop was secured via SecurID. Once I arrived home last night, I set up the server on my home network, and now all of my workstations and server (Linux included!) are using RSA SecurID login.

You can run the server on NT/AIX/Solaris (probably more by now because I have an old kit), and there are agents out there for just about any operating system. In addition, you can have routers access the server as if it were a TACACS+ or RADIUS server.

Check the RSA website [rsasecurity.com] for more information. The part you'll care most about are the agents (client side of the equation), and I know for sure that there are agents available for Windows, Linux, and Solaris.

Good Luck!

LDAP is very cross-platform

[Seth Finkelstein]

LDAP [openldap.org] is definitely something you should investigate.

It is extremely cross-platform compatible [emailman.com]

Sig: What Happened To The Censorware Project (censorware.org) [sethf.com]

NIS/YP..Take your pick.

[Bowie J. Poag]

The thing your looking for is called NIS. A vastly oversimplifed explanation of NIS goes something like this: An NIS-capable host is a system where passwd and group information is kept, and subsequently "pushed" to other hosts. Users log into local machines, the local machines reference their latest NIS maps, and log you in based on that. Its not difficult to set up or maintain, no more difficult than handling localized passwords, at least. Look into it.

NIS is what Sun used to call YP, or Yellow Pages. Pick up a book on NIS administration, and knock yourself out.

I'm sorta surprised this ended up on Slashdot. You'de think that a predominantly Unix-reading crowd would have rejected this one flat out due to it being so obvious.

Re:LDAP and Novell

[crowke]

The best way to learn the basics of LDAP is to read the IBM Redbook (PDF) [ibm.com] about this subject...

winbind

[Anonymous Coward]

check out winbind from samba.

Lets unix users use a windows PDC for authentication.

NIS and Samba can handle this

[Anonymous Coward]

I realize it's not the latest thing, but I use NIS on the main server. All unix clients bind to the NIS domain. I also run Samba 2.2.3a as a PDC, and setup the password sync capability so when they change password from a Windows client it also changes the unix password.

At some point in the future we will migrate towards Kerbereos and LDAP I suppose, but I don't see the setup changing greatly. I still prefer using samba running on a unix box to act as the PDC and server. Works very well for basic authentication and file/print serving.

Re:The best method might be simple ...

[pongo000]

How does this help each user keep track of a large number of passwords? What you have here is a centralized NIS-like database of passwords, but it does nothing to help a user remember what password goes with what machine. Also, this seems like an incredible security risk, putting all your chips down on the bet that you can create a super-secure password server that will never be broken. What happens if you're wrong, or make a mistake?

Re:NIS?

[lowar]

NIS???
Maybe it will solve the single logon problem, but it's a nightmare from a security POV.

Type "ypcat passwd" on a NIS enabled box, you will see what I mean...

CU Micha

Re:LDAP

[bonius_rex]

When you are mixing different vendor's LDAP implementations together, be real careful about who gets to keep the passwords. IIRC Active Directory stores passwords in a goofy format that nobody else can use, so you will need a product like "Microsoft Meta Directory Services" or Novell's "DirXML" to keep things in sync.

Linux and Solaris are pretty easy to accomodate with PAM.

Microsoft also makes a product called "Services for Unix" which will (among other things) make your Active Directory Domain controller act like an NIS server so you can setup Linux/Solaris boxen as slaves.

Just make sure NOTHING transmits password across the wire in clear text. If everything uses the same username/password, a simple packet sniff can conpromise the whole works!

Re:Single Sign-On

[Anonymous Coward]

You're correct. Kerberos is the way to go here. LDAP is nice as a directory but storing passwords directly in LDAP is a bad idea and requires special software on the Windows boxes. Kerberos is directly supported and in general will interoperate well with either MIT or Heimdal KDCs. Plus not only do you get single password but you also get single-sign-on if you set it up right.

Re:NIS/YP..Take your pick.

[ghack]

NIS works great - I would highly recommend it. I agree with the parent poster in that using NIS is the obvious thing to do - the most simplistic google search would reveal that.

http://www.linuxfocus.org/English/July2001/article 148.shtml [linuxfocus.org] is a good NIS howto.
http://www.isi.edu/~govindan/cs558/nis/ [isi.edu] is a good basic overview.

NIS is a solution that will work on linux, solaris, and windows 2000 - so it is perfect for your application.

Re:RSA SecurID

[Anonymous Coward]

We've used the SecureID fobs at my work place ofr secure remote access. While the system works well, and seems secure (based on the "know something (a password) and bring something (the fob)" principle, like ATM cards), you have to have the fob with you whenever you *might* need access to a secured system. So, if you leave home and forget to pack it... Or, if your fob dies (and I've seen about 60% of ours fail over the last 3 years)... Or if you break it (about 10% of our fobs)... If the fobs are available in a credit card form factor (thickness, too!), they'd be easier to keep on your person than the ones we have.

Re:It exists.....

[cscx]

I apologize for the lack of details but I don't know any of the specifics on whether or not it is a central password file or different servers all keep a current copy of the same file.

They use a program called actmaint, which I think is custom written. What happens is when you change your password using passwd at a unix prompt, it activates actmaint to go and propagate your password though all the Sun systems, all the Windows NT domains, all the Windows 2000 domains, and the custom NIS authentication (how do they authenticate the Macs to a Sun box, hmmm?) and other Unix systems across campus (like the engineering machines) that are linked to your password. This allows the regular Purdue network to be kept separately maintained from say, the engineering systems, but allows you to have a common password for conveinence. How does PC-RDist fit into this? It doesn't as far as I know; it is activated when a reboot is initiated to keep the hard drive data in a consistent fashion (i.e., all data you added is removed, all data you changed / deleted since login is replaced). Try the new WinXP stations to prove this; you have to login to a domain controller before it can auth you to a Sun box. _That_ may be using kerberos, but as fas as actmaint goes, it's not using kerberos tickets cause there are a significant number of Windows NT 4 machines out there (like the ones running student services...) that the passwords have to sync to, and kerberos didn't come out till Win2k.

But like I said, I think actmaint is an in-house custom written program, so your argument is moot :).

Another "Ask Google" question?

[Anonymous Coward]

"Are there any packages out there right now running on at least Windows and Linux, and preferably also Solaris, that can access a central password file?" Jesus tap dancing Christ. How *do* you people get jobs?

Collective Technologies Does This

[ayden]

I attended an event in November 2000 hosted by Collective Technologies [colltech.com] called Shared Authentication Solutions. Collective Technologies developed an in-house solution permitting single sign-on and application control. The tools used were:

1. Win2k password server running Active Directory (which is really LDAP, with a twist) and the M$ bastardized version of Kerberos. Collective Technologies extended the Win2k password file with Active Directory to contain the usual UNIX password fields and the ACLs for each application.

2. Solaris and RedHat Linux boxes running Kerberos, PAM, and LDAP.

3. NT and Win2k boxes running either NTLM or the newer Win2k Authentication client.

Once a user logged into any session on the Collective Network, they had instant, secure access to all the resources they were supposed to have, and no other.

The only downsides to this entire setup I could see were:

1. The authentication server ran on Win2k and not UNIX.

2. The weak link in this chain was the Win2k authentication server. Collective Technologies suggested that their implementation relied on physically securing this one box in a locked server room.

I was unable to find information on the Collective Technologies web site about this presentation. Please contact me if you would like more information and I'll try to dig up the documentation provided by Collective Technologies.

Our Noc

[BrookHarty]

We currently use 3 headed Solaris Boxes, and for windows we use citrix. We use NIS and NFS to mount a shared binary directory. We have a program we run from a command prompt that will give us the username/password. You can only see the command from the shared directory, and its not shared with non-noc people. It reads a file thats encrypted and not readable by the user. You cant copy the encrypted password file to your local workstation.

We do regular updates to passwords on routers/servers/etc. So we just update the file. Our NOC doesnt have root on the servers, they log into with a program that controls the permissions, kinda like sudo with server based auth. I dont want to mention the name of the program on slashdot...

For our engineers, we use a program for windows called "WinSafe" that loads a shared .dat file (encrypted) on a windows share. The share is only available to the engineers. Like any program, if you use weak passwords, you can do a dictionary attack on it. Winsafe is freeware.

Basically, a client program that reads an encrypted password file on an authenticated non-shared resource over an encrypted channel.
-
I have left orders to be awakened at any time in case of national emergency, even if I'm in a cabinet meeting. - Ronald Reagan

IBM Redbooks

[fm6]

Karma Whore!

Well, I shouldn't complain, since you helped me find the Redbook web site [ibm.com]. But you have to admit you're just barely on-topic. And it would have been more useful to point to the main page for this Redbook [ibm.com], which includes various useful links, including an HTML version, the FTP directory for related files, a place to submit review comments, and other good stuff.

Re:LDAP and Novell

[irony nazi]

I don't see anybody mentioning it here, but I use a disk-on-key to manage my passwords. The password files are stored in an encrypted format, and I have OS-X, Linux, and Win32 binaries stored on the key that will decrypt whichever file I choose based on some passphrase. The passphrase is the same for all password files.

The most common passwords, you will constantly use and not need the key for. The less common passwords, however will always be in your pocket, one USB connection and decryption away.

I didn't see any other mention of hardware implemented solutions so I figured I would throw this one out.

-irony nazi

Re:NIS/YP..Take your pick.

[Anonymous Coward]

I believe NIS+ solved many of the
security problems with NIS. And the
University of MD appears to use
it for Linux/Solaris/Irix/WinNT/Mac
and probably more.(VAX?)
And before you start wringing your hands
about NIS insecurities, I'd suggest
adequately Firewalling,IDSing,logging
and compartmentalizing your network,
if its like most its probably got
unaddressed problems.

Authentication vs. Authorization

[Fastolfe]

It sounds like you need to break out your authentication from your authorization a little. Unless you need to replicate user records for availability reasons, keep them on the master servers. On your LDAP servers maintain a group containing a list of those users that are permitted access to your systems. Link them together using LDAP referrals (main organizational server delegates to your server for your organizational unit, and your server refers unknown requests to the main server).

When the user tries to log in, they'll be authenticated from the central servers, and authorizated to use the servers based on whether or not they're in the group.

Re:Use a fricken database

[__past__]

First of all, using an RDBMS is not an answer to this question - just storing your password(s) somewhere will not automagically make it possible to actually use it for login

However, directory services are better suited than classical RDBMSes, because they are optimized for fast lookups. An RDBMS in contrast focuses on concurrent updates - all this ACID stuff is basically not needed if all you want to do is providing authentication services (as long as you don't frequently try to update your password from 10000 workstations at once).

Kerberos, Plain and simple.

[SuperBug]

It is a bit difficult to get working, but it is "strong", centralized, password and user management.

The only thing I've found missing from kerberos, is simplified high-level documentation in a cook-book format for different ways of implementing and administering the KDC and the realms.

Fortunately I'm working on such documentation, and it may become part of the FAQ. After I make some adjustments, maybe it will.

Re:RSA SecurID

[dondiego]

gack, do a google search and read up about how "SecurID" has been cracked and is not nearly as secure as vendors might lead you to believe... (As far back as 1996 they started finding problems) Here's an example discussion: http://www.linuxsecurity.com/articles/cryptography _article-2336.html [linuxsecurity.com]

Re:The best method might be simple ...

[Anonymous Coward]

There is a difference. A Linux box with LIDS, even if the cracker gets root, the cracker can't do anything. LIDS takes total control away from root. Is that possible with OpenBSD?

Also OpenBSD and Linux are only as good as the services they run. So if there is a hole in OpenSSH or OpenLDAP, it doesn't matter if the OS is Linux or OpenBSD, a cracker can get root.

Re:NIS/YP..Take your pick.

[Gerdts]

NIS is bad because it allows you to display the encrypted password for every user using the command "ypcat passwd". It is a required part of the protocol that cannot be disabled. It would be possible to disable ypcat, but the underlying API call yp_all cannot be removed or blocked. Encrypted passwords can then be guessed with a program call "Crack" (and others).

Furthermore, NIS is succeptible to attacks that use the faked NIS server. You can create your own fake NIS server (laptop running linux) for the domain, create an account "myroot" with uid 0, and a password that you know. Next, you unplug the ethernet of the machine that you want to break into, and plug it into a hub that only your trojan laptop is on. Assign your laptop the IP address of one of the NIS servers. No, log in as "myroot". You now have root access on the machine. The only protection I know against this attack is to implement IPsec between your NIS servers and all clients.

NIS+ works around these problems as it uses a public key cryptography system for all transactions. The problem with NIS+ is that it is not widely implemented and Sun (the primary vendor behind it) has announced that its upcoming release of Solaris, Solaris 9, will be the last one to have NIS+. Sun recommends shifting to LDAP.

Samba

[Gerdts]

Samba is well known for its ability to act as an NT File/Print server, but it can also act as a primary domain controller. I believe that its PDC capability along with its Unix Password Sync functionality will allow you to accomplish most of what you want. Alternatively Samba also comes with windbindd which allows you to have your Linux and Solaris clients participate in an NT domain.

With Unix password sync, you are likely to be tempted to use NIS to distribute your passwords to your Linux and Solaris clients. While that would work just fine, NIS is known for its lack of security (search for my other post on this subject). If you use NIS initially (potentially to integrate with your existing NIS environment), consider shifting over to LDAP. Samba 2.2.x has had significant work done to provide integration with LDAP. Check the docs for the latest release and the samba mailing lists [samba.org] for details.

PasswordCourier

[kwelch]

Check out PasswordCourier [courion.com] (Warning - Flash required). I know it works well - I work there :-).

putty

[morgajel]

putty [greenend.org.uk] is a good ssh client for windows- I'm not sure if it's what you meant tho... really configurable, and we we normally reccomend to freshmen who are still using telnet.

SeOS

[Anonymous Coward]

I'm a systems administrator for a large telco. We use "SeOS" on most of our boxen. http://www.astrom.se/cai/etrust/ac/index.html

It's not bad and it allows such functionality like allowing certain groups and users trusted su capibility. Performs scheduled required password changes and other fun stuff..

P-Synch

[shking]

M-Tech [m-tech.ab.ca], a Calgary company makes P-Synch [psynch.com], a cross-platform password management system. P-Synch supports over 60 types of systems including: Unix servers, Windows NT, Windows 2000 active directory, OS390 / MVS mainframes, LDAP directories, email, groupware and popular ERP applications, such as SAP and PeopleSoft.

M-Tech showed P-Sync off to the Calgary Unix Users Group [cuug.ab.ca] last year. When I saw your story, I immediately thought if them.

Try this

[crivens]

Try M-Tech's PSync [m-tech.ab.ca].

Re:RSA SecurID

[Anonymous Coward]

SecurID has proven insecure, it is possible to break.

P-Synch allows cross-platform password synching

[UncleDuncan]

There was review in Linux Journal back in 1999 of a product that addressed this problem:

http://www.linuxjournal.com/article.php?sid=3040

The company is M-Tech http://www.m-tech.ab.ca/, and they have a product called P-Synch that allows you to do cross-platform password syncing.

I've never used p-synch. We use openldap instead of a commercial product, but we don't use it for root passwords. Seems to me to be a security risk to have root the same on all boxes. You might be better served by having some sort of password scheme/algorithm rather than a common login, especially if the issue is being able to remember the password, rather than ease of mass changing/syncing of passwords.