Ask Slashdot: Open Source Multi-User Password Management?

An anonymous reader writes "I work in a network environment that requires multiple people to have access to numerous Wireless Access Keys, iTunes/iCloud accounts/passwords, hardware appliance logins, etc. I'm attempting to replace the ever popular 'protected' excel spreadsheet that exists in almost every network with all usernames and passwords just waiting to be discovered. Are there any open source, multi-user, secure and preferably Linux-based password management tools that the Slashdot community would recommend?"

Wallet

[tskirvin]

Wallet [eyrie.org] is a Kerberos-based secret management tool. It works well for me.

KeePassX

[Anonymous Coward]

KeePassX (v1) comes in the Fedora and Ubuntu repositories, and has Windows binaries. You can use simultaneous key and password encryption (if you're worried about keyloggers, or if you have to share the password in an unsafe way). It can also generate passwords of varying complexity.

KeePass

[st0nerhat]

KeePass satisfies all of your criteria:

• Open Source: It uses an OSI-certified license.
• Multi-user: You can throw the database on a Samba, NFS, etc. share and it will merge changes between different users that have the DB open at the same time.
• Secure: Supports multi-factor authentication.
• Linux-based: Works with Mono.

Password Safe

[matt-fu]

Out of all of the stuff I've tried for team password management, my favorite is Password Safe. I haven't tried the Linux port but apparently there are a couple: http://passwordsafe.sourceforge.net/relatedprojects.shtml [sourceforge.net] The ONLY reason it beats a GPG encrypted password file is ease of use. Ideally you are hiring people who can deal with GPG but my experience is that it can be a decent learning curve just to get people to not use notepad.

Re:Better than the last place I worked at

[forkazoo]

We use phpchain at work for this sort of thing. A few hundred accounts for various servers, devices, vendor support accounts, and logins for accounts at companies we work with. All stored securely. Google it if you arent familiar with it. It has been a huge win for us, and does everything asked for. We even wrote a simple search functionality for at that I think has been rolled into mainlIne at this point. Certainly better than a plain text file on a shared drive!

(tried posting this previously, but I wasn't logged in. Trying again now that I have gotten home. Hopefully it is more noticeable now.)

SFLvault

[anarcat]

I have been keeping an eye on this project [savoirfairelinux.com] for a while. To quote their description: "SFLvault is a Networked credentials store and authentication manager. It has a client/vault (server) architecture allowing to cryptographically store and organise loads of passwords for different machines and services."

The design seems sound, and it is a server/client model which seem to fit well your "multi-user" requirement, which isn't fulfilled by any other password manager that I know of. It can also automagically log you into different services like SSH, MySQL or sudo and can do multi-hop.

The only issue I have found so far is that installing the server component is a bit of a pain (ie. no Debian package, as opposed to the client side)... but i guess this really depends on the "Linux" environment you are using...

I have been maintaining a list of FLOSS password managers [koumbit.net] in our public wiki for a while, any suggestions not mentionned there are welcome.

Re:Multi-user?

[Kalidor]

This! KeePass2 on a shared drive is how my team does it. A shared database with generic passwords and shared resources, and some of use keep our own DB's with our more accountable user id's. Because it's got the tabbed feature it's super easy to have both databases available, and with the advanced features available when you dig a little bit deeper into the entries, it's really versatile.

As the previous poster mentioned it can be run on Mono, and works quite well actually. It also has readers for most cellphone OS's so syncing it to our phones is an option. Being able to access our DB even at a colleague's desk, or when ssh'ing in from my phone has proven to be a real convenience at times.

I don't think I've seen them claim military grade encryption anywhere, but it's pretty strong. The system also allows you to increases the encryption rounds to suit your taste and tolerance. Much of this hardening however is only partially supported in the 1.x flavours of KeePass.

Re:Password Safe

[lewko]

No real surprise. He recommends it because he designed it.

Re:Multi-user?

[Anonymous Coward]

This! KeePass2 on a shared drive

You can go one better than a shared network drive by saving to a URL.
Specifically, setup a subversion server with WebDAV enabled. This way you can always go back to an old version if your db gets corrupted in any way. Subversion hook scripts can be used for implementing a backup plan (we use one to sync our keepass svn repo to a read-only mirror on a remote site.) The apache ldap auth module can be used to control access (this is on top of the actual keepass db password)

Re:Better than the last place I worked at

[qubezz]

It sounds like the asker is in an enterprise windows network. What you might use yourself is different from what you replace an Excel spreadsheet with on your company's network.

I have deployed and administered Network Password Manager [sowsoft.com]. A bland name for a very good Windows-only password manager. It has a real client and server, AES encryption, lets you create a tree of passwords, and access control to different parts of the tree is done with active directory, meaning you can let an "accountants" and/or "bookkeepers" group in your directory have read-only access to a tree "financial passwords", and a "managers" group or particular users can have modify or admin access to those passwords. This means you can just update personnel changes in active directory instead of having another program where you must update rights for every user. On dismissal, you can review passwords that the user had access to and reset just those apps/sites. Individual users can also have their own tree for their convenience that nobody else can access, although If I recall, the system admin can see all passwords.

This degree of rights control is very useful when you run several different programs on your own network with different user accounts, along with vendor account sites (ordering, financial, billing, shipping, etc.) where you have to bend to another company's account and password system, which might give your whole company only one or a few logins.

For my own stuff, I have text files (both flat and encrypted), passworded Firefox password manager, and Blackberry Password Keeper. A $50 Blackberry (with no SIM card if you have something to hide) makes for a better password device than anything purpose-built you can buy; with encrypted disk storage, encrypted password storage, and no-touch USB backup, it is pretty secure - you can set it to wipe itself if a bad password is entered just three times, it can take different passwords to unlock the device vs getting to password keeper, you can install "decoy" password apps, and there are no biometrics that can bypass protection (showing it a picture of you, or using your removed fingers or eyeballs).