Cross-platform Password Management?

Martin Blank writes "I work in a NOC, and one of the debates you will find in any strongly-mixed environment like this is preferred OS. We have people who prefer Windows, some who like Linux, and some who do almost everything on Solaris boxes. However, this also means that much software is not available over all three. With all of the servers, routers, and various other protected systems we have, the sheer quantity of passwords is mind-bogglingly difficult to keep track of in a secure fashion. Are there any packages out there right now running on at least Windows and Linux, and preferably also Solaris, that can access a central password file?"

Doesn't that defeat the purpose?

[jroos]

It seems to me that a centralized password system just defeats the purpose of having different passwords. If you can compromize the password system, you've compromized everything.

Use the same password for everything

[Anonymous Coward]

What else needs to be said?

Re:Doesn't that defeat the purpose?

[ltsmash]

Security experts always say: 1.passwords should be 8+ characters 2.passwords should look like they were randomly generated (esp. no English words) 3.never write your passwords down (WHICH INCLUDES USING A PASSWORD MANAGEMENT SYSTEM). Personally, I usually follow rules #1 and #2, but there is no way I can memorize a 10+ randomly generated strings. Aren't security experts being a little hypercritical?

Novell eDirectory

[c-town]

Novell hasn't gotten much right except their directory services. By far, Novell NDS/E-Directory is the best you can get in the industry. If you just want password management, openldap [openldap.org] is good enough. However, if you want better user/group/server/services/application management, give eDirectory [novell.com] a shot. There's nothing else better to manage mid-enterprise corporations. It really does kick ass.

Human readable databases are needed too

[Snow_Bonobo]

I think the question isn't so much about storing passwords for systems to use, such as in LDAP or NIS directories, but about storing passwords for humans to access. The other half of a password system is also very important.

Directories like LDAP, Kerberos and NIS can reduce the number of passwords on a network and make maintenance easier (normal users can have one password for all systems they access) but there will still be many passwords. It's a very bad idea to give every workstation and server the same root password, for example.

Ordinary users can get by with one universal password for their network identity, but for system administrators it can be a nightmare. I've got about 130 passwords to keep track of.

The best solution I've come up with so far is to use cheap Palm PDAs to store the passwords, encrypted and locked with a good password itself, on special password storage apps. Each sysadmin can have a PDA with just their passwords on it. For about £80 each it isn't cheap, but it's a lot better than using password potected Word files, which I've seen other companies using. Don't use the Palm's own "secure" storage, it's useless for things that need to be really secure.

I'm still looking for a better solution - some way to store the passwords centrally and distribute them to each PDA depending on the requirements of each sysadmin would be great.

Of course, the way that passwords become so cumbersome in large quantities just shows how flawed passwords are. Hopefully Kerberos will catch on more - the advanced features of Kerberos help reduce the number of passwords needed.

Re:Low-tech solution

[tutal]

Pet pieve alert!

randomness != security

Why?
1. Your typical user (read incompetant) has a tough time either typing or remembering a random password, especially if change frequently.
2. If they can't type it easily they will hunt and peck, and type the password in slowly, which any malicious user can pick up easily.
3. If they can't remeber it they most likely will write it down, and equally as likely put it on a post it note on their monitor.

Solution?
Use long passwords (over 8 characters) with alphanumeric replacement that alternate between hands ie dismantlement (the longest alternating qwerty word) could be dism4ntl3m3nt. And no.. that is not my password on Slashdot or anything else for that matter ;-)

Re:NIS?

[typedef]

NIS isn't that bad, as long as you don't use it as the primary authentication service, and just use it to distribute user/group information across the network. On my network, I have the password field for each user in NIS set to something that dosen't map to a real password (i.e. +++) and I've configured PAM on all hosts to autheticate via Kerberos. Once they've obtained a set of credentails from the KDC, thier group, home directory, shell, etc is obtained from the NIS database. You can accomplish basically the same thing using LDAP to distribute the user/group information, and theoritically (I haven't tried this personally) you could get this all to work out of the box using a Win2k box with Services for UNIX installed. AFAIK, PAM ships on Solaris and most Linux distros, so implementing this on the client end of things shouldn't be too much of a problem either.

really, seriously look at eDirectory

[deviator]

LDAP is a great idea, but it's only half of the problem - it specifies the cross-platform interface, but not the database to store that information in. OpenLDAP sounds like a step in the right direction.

MS has their ActiveDirectory that fully supports LDAP, but the database is very Windows-centric and you'd be taking on all of Microsoft's security issues related to hosting ANYTHING on a Win2K server.

Really, seriously, definitely have a look at Novell eDirectory (a.k.a. NDS) as your foundation - replicas of NDS partitions can be *hosted* on Solaris, RedHat Linux, Netware, NT and Win2K (note: you do NOT NEED A NETWARE SERVER ON YOUR NETWORK TO RUN eDIRECTORY! :) You can use the proprietary Novell client software for various OSes to access this information, or make standard LDAP calls to it.

NDS (the database part) is dynamically extensible, totally replicated (for performance and auto failover) & almost completely automatic... very little maintenance is required. It supports hooks for almost all OSes for authentication (look at Novell Account Manager for Linux & Solaris, for example) and directly supports smartcards/biometric/SecurID/etc. It's "light" meaning you wouldn't have to dedicate entire servers to host the information. The security is awesome and the you get very fine-grained control over everything. It's relatively inexpensive these days, too. (You can practically get it for free if you're a developer - check the website for a free eval copy, too)

These days, Novell also has all sorts of whiz-bang products (i.e. DirXML) that integrate with eDirectory - do bulk-loads or automatic synchronization of other proprietary directories using your own XML interfaces. They even have a bunch of tools & apps that let you take existing apps and set them up as "single sign on" so you don't have to keep track of multiple passwords for multiple databases.

The other advantage is that Novell has about ten years of lead time over everyone else's directory implementation right now.. I'm lucky enough to have had a chance to play with NDS on several large networks and continue to be amazed at the technology behind it.

more info: http://www.novell.com/edirectory [novell.com]

Passwords are not always for security

[Anonymous Coward]

Many times, a password is a just a word you need to enter
the system because the program said so. For my need,
passwords are an inconvinience, thus passwords is an evil.
For my situation, the "best" password should be
as simple as possible and should always be posted on
the monitor. Ideally, the binary should arrive
in a wrapper and at startup prints on thes screen
you password before it asks for it!
My needs are different.

Re:Doesn't that defeat the purpose?

[vipw]

Having passwords written down isn't a bad thing; having them written on a post-it note on your monitor is. :)

Passphrases for things like signing keys and such are often kept in a bank vault. Passwords like those are very long though and nearly impossible to remember. The ideal solution is for no unauthorized parties to have the password, but that can't be guaranteed just because it's a long random memorized password. Usually the best you can do is make it so your password can't be found without you knowing about it, and that can be done with written passwords that aren't left laying around.

My method is to have the password in written form in my wallet for about 10-20 uses, after which I'm confident I won't forget it and then I eat or burn the paper.

Novell eDirectory

[VikingBrad]

Novell does many things wrong but their eDirectory ( http://www.novell.com/products/edirectory) product is clearly the leader

It runs native on Windows NT4, 2000, Linux, Solaris, AIX and Netware 4, 5 & 6.

It also is LDAP 3.0 compliant and is managed through a Java-based console that will run on any platform with a JVM.

It also has flexible Authentication extensions and Account Management for Windows, Linux & Netware that enable administration of file system shares.

And for all that developers can bundle a 250,000 user version of eDirectory with their Apps for free (http://developer.novell.com/edirectory/)

Although its not open-source it should be bundled with Linux distributions targeted at large organisations to provide a scalable, cross-platform secure directory system

Re:OpenSSH supports Kerberos

[Anonymous Coward]

The awesome BSD-licensed OpenSSH server can support Kerberos (as well as several other authentication methods including SecureID).

Re:NIS/YP..Take your pick.

[JLouder]

The thing your looking for is called NIS...

NIS is simple to set up, but any user on one of your systems can run ypcat passwd (or ypcat shadow, depending on how you've set things up) and see everyone's encrypted passwords.

Another problem with NIS is that is distributes the complete maps every time a change is made. If you're looking for an enterprise solution, you'll have a passwd map with thousands of entries, and you don't need to be pushing that whole thing around the network every time a user changes his password.

NIS+ solves both of these problems, but is more complicated. But more importantly, Sun plans to remove NIS+ from Solaris after Solaris 9 [sun.com]. They're encouraging everyone to switch to LDAP.