Cross-platform Password Management? 328
Martin Blank writes "I work in a NOC, and one of the debates you will find in any strongly-mixed environment like this is preferred OS. We have people who prefer Windows, some who like Linux, and some who do almost everything on Solaris boxes. However, this also means that much software is not available over all three. With all of the servers, routers, and various other protected systems we have, the sheer quantity of passwords is mind-bogglingly difficult to keep track of in a secure fashion. Are there any packages out there right now running on at least Windows and Linux, and preferably also Solaris, that can access a central password file?"
The best method might be simple ... (Score:4, Interesting)
On the logging tables in the database, make sure they aren't readable or writeable by the web-user. They should only allow INSERT queries.
This might be the best way.
x
Smartcard systems? (Score:3, Interesting)
I realise it isn't very pratical adding smart card readers to every machine..but im just starting to look into smartcards on *nix and the msucle project seems to suggest that you can roll smartcard verification into your login procedure.
http://www.linuxnet.com/apps.html
I'm just psyched that i got my citbank serial port smartcard reader up and running under the pscsd smart card daemon. Now i can play around with this very idea.
-jef
Samba? (Score:1, Interesting)
If you have an existing *nix net Samba would probably be the way to go.
Other benifits include a centralized "Share" so all your machines could easily mount the same drives, and centralized printing (You don't need samba for this unless your network prints from the windows network) Check it out, the new versions also support encyrpted passwords...
Just my 2cents
PGP (Score:3, Interesting)
Re:Smartcard systems? (Score:3, Interesting)
read muscle frontpage
http://www.linuxnet.com/
Linux is the targeted development platform....but the goal is have a framework portable across the unix based OSes: Linux, MacOS X and Solaris are all mentioned right up front....they even offer binaries for Solaris 8 on sparc for the base pscs software.
The license for the pcsc-lite package that they offer is a BSD variant i believe....perfect for a reference implementation across ALL the unix based OSes out there.
I think the windows world already has a large collection of cardreader software supplied by vendors...so taking care of the windows boxen would probably not need any software like this at all..since you probably get the cardreeader software for windows with the device.
-jef
Re:Smartcard systems? (Score:3, Interesting)
And are those usb devices supported on Solaris?
I think smartcard/usb-keychain decisions come down to price-feature ratio. If you want real portable storage for files and what not the usb devices are the way to go...if you just want to keep passwords or cyptokeys/sigs then smartcards might be cheaper to implement.
I'd also be concerned about support for the usb devices on the Unixes...
But i havent seriously looked into it...since I dont have a real need for this stuff personally.
My citibank smartcard reader was FREE. so getting it working under linux was a nice bonus.
-jef
Re:LDAP (Score:5, Interesting)
I think Pat Jensen has really got some good advice here. At SST, we're slowing moving to a "universal login" system for our Web sites. There are about 5 internal & external sites, each requiring different usernames & passwords. Our solution is to set up a MySQL database with login data and nothing more, and then each Web site will check for a cookie (MD5 hash with IP addy, so the cookie is difficult to spoof). Since all our sites operate under sst.com, they should all be able to view the cookie and verify it.
However, and as an inevitable side-effect, people are now asking why we can't use that same system for NT logins and Outlook and yadda yadda. If we had chosen LDAP, this would have solved the issue, as LDAP can be plugged into a bit more than MySQL can. We will still do this, it just means we have to revise, revise, revise. I have yet to look into how well PHP and ASP support LDAP, and just how much LDAP can do, but it appears to be much more in line with our needs. Can anyone speak definitively about what PHP and ASP and NT and Outlook can do with LDAP?
Re:Use a fricken database (Score:1, Interesting)
Single Sign On isn't the answer either -- if people know the password, then someone else can figure it out, and having the same password for every resource then leaves your enterprise in the same state it was before. Imagine your Network/Server Architect out at a bar getting liquored up one night, and then tell me that one password for all your devices is a good idea.
The **BEST** solution is something like a SecurID token -- you take something you know (A pin number) and combine it with something you have (a 6 digit random number provided w/ your securID token) to create a one-time use password. If someone has your token, they still need to know your PIN, and if they have your PIN they still need your token.
good luck (Score:5, Interesting)
Then again, this is a university where we basically provide services that faculty request and we don't have the luxury of not using software x because it uses authentication scheme y and we only support authentication scheme z. If you have a situation like this, it isn't that difficult to come up with the glue you need.
use your Thumb and Retina ! (Score:2, Interesting)
if this third number correspond, give access.
Retina + Thumb scan supported under Linux (Unixs) and Windows.
Just a bit steep on the budget part, but damn efficient.
Oh yes. Get at least TWO redundant password / verification servers, if possible one offsite.
Why ? Gess 8) a whole company unable to connect because one poor server went dead
Dont use passwords.... (Score:4, Interesting)
SSH with RSA keys. Change the management problem into the simpler (and more scalable) one of managing RSA public keys on the boxes (which can be automated).
Job jobbed.
it's a losing battle (Score:3, Interesting)
NIS... (Score:2, Interesting)
we used to authenticate via NIS+(before we were purchased and told we were going to LDAP, still waiting after three years, but that's another story...) and i loved it! we were a prepress company with 6 seperate locations and several dozen servers scattered thru out the enterprise serving appletalk, email, home directories, and data collection. no matter which location you were at, you could use your single login/passwd to login to any other server, mount you home dir, and go about your business.
it took a bit of end user training(users wanting to save their mail on local drives instead of home directories, among other issues) but it was well adopted, and easy to maintain thru sun's solstice frontend.
the environment was hetrogeneous(solaris, aix, irix, linux, nt, macintosh) and all machines authenticated nicely, with the exception of earlier windows machines. had we deployed samba we would have had an easier time.
beware the difference of NIS and NIS+: NIS+ was sun's "updated" version of NIS. NIS is far more open and friendlier than NIS+... the irix and linux boxes preferred plain NIS.
the best benefit was the ease of administering the end users. one entry change propogated thru all machines... no more rushing from box to box when someone was getting canned. user can't remember email and filesharing password? no problem.
wan to migrate to LDAP cause NIS doesn't have everything you need? no problem with that too, tools exist for easy migration.
Here is the recipe! (Score:1, Interesting)
First, you need a repository for all the authentication and authorization info. Novell eDirectory is the best choice for many reasons. One of the best reasons is because eDirectory can store information that not even the directory admin can access....it's possible to build system that the admin can't compromise.
Second, you need a variety of ways to access this information. The common ones are PAM modules, direct LDAP calls, redirection modules, NIS redirection, RADIUS, RACAF, TACACS+, Screen scraping/keyboard stuffing, SecureID interface, and biometric interfaces.
Third, you need a way to synchronize with legacy systems that can't be bypassed using one of the above methods. DirXML is one of the best ways to make this happen.
JC
JWCOMBS@LDAPEXPERTS.COM
The Passphrase Method (Score:4, Interesting)
Use a phrase to generate a suitable password. Try and use a phrase that has something to do with the system. For example, a server at a company office. "This building has 8 floors and 3 elevators" could generate "tbh8fa3e". Not bad. We can improve it by adding caps and some substitution: "TBh8f&3e". Now we have a password with mixed case, alpha-numerics, and non-alpha-numeric characters with a random appearance. And it has meaning to the user in the form of a phrase that can be remembered and repeated to regerate the password.