From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-sysadm/2011-February/002784.html | 213 ++++++++++++++++++++++++ 1 file changed, 213 insertions(+) create mode 100644 zarb-ml/mageia-sysadm/2011-February/002784.html (limited to 'zarb-ml/mageia-sysadm/2011-February/002784.html') diff --git a/zarb-ml/mageia-sysadm/2011-February/002784.html b/zarb-ml/mageia-sysadm/2011-February/002784.html new file mode 100644 index 000000000..58401c9f2 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-February/002784.html @@ -0,0 +1,213 @@ + + + + [Mageia-sysadm] Saving and sharing passwords in mageia teams + + + + + + + + + +

[Mageia-sysadm] Saving and sharing passwords in mageia teams

+ nicolas vigier + boklm at mars-attacks.org +
+ Sat Feb 19 02:26:54 CET 2011 +

+
+ +
On Sat, 19 Feb 2011, Buchan Milne wrote:
+
+> On Friday, 18 February 2011 23:45:02 nicolas vigier wrote:
+> > Hello,
+> > 
+> > We often need to register some accounts on various websites for the
+> > Mageia project (domain name registration, twitter, identica, etc ...).
+> > And we need to be able to share the account informations (login and
+> > password) with other people inside teams. So we need something like a
+> > password database, with permissions to restrict access to only some
+> > people or groups of people. We can store this database on Mageia servers,
+> > but I think it should be encrypted, so that root access on the server
+> > does not give access to the passwords.
+> 
+> This is not an uncommon requirement, in my work environment we need to be able 
+> to share the local root passwords (e.g. in case a system administrator needs 
+> to be able to restore something that prevents user logins from working).
+> 
+> However, in work environments, access to privileged passwords may need to be 
+> auditable.
+
+This tool could probably be used also outside Mageia.
+
+> 
+> > I have looked at existing tools, but didn't find one that would allow
+> > us to do this easily. So I'm thinking about writting some scripts to do
+> > it. It would work like this :
+> > 
+> >  - all users first need to upload their gnupg public key in ldap
+> 
+> I was already considering the requirement for GPG public keys in LDAP for 
+> 'privileged user password recovery'. E.g., use the same process as 
+> unprivileged users, but encrypt the key sent to the user with their gpg public 
+> key (providing a second level of authentication - if we consider access to the 
+> mailbox one level).
+
+Good idea !
+
+> I believe there may also an LDAP-based keyserver, which could provide even 
+> more re-use.
+
+A keyserver using LDAP would be nice. If not too difficult to setup.
+
+> 
+> >  - we have a command to create a password on the server, with a list
+> >    of groups/users who can access this password :
+> >     $ mgapassword create passwdname %group1 %group2 user1 user2 ...
+> 
+> Should we leverage existing (e.g. LDAP) groups?
+
+Yes, I think we should use ldap groups.
+
+> >  - a command to save the value of a password :
+> >     $ mgapassword set passwdname < value
+> >       or
+> >     $ mgapassword edit passwdname
+> >  - an other command to retrieve a password :
+> >     $ mgapassword get passwdname
+> >  - a command to list the passwords you can access :
+> >     $ mgapassword list
+> > 
+> > All commands connect to the server using ssh and the ldap account. When
+> > saving a password, the client ask to the server the list of gpg keys of
+> > all users who should have access to the password, then encrypt the
+> > password with all keys and send it encrypted to the server.
+> 
+> Where are the passwords stored?
+
+Stored on the server in encrypted files. Maybe in a database.
+
+> > The command to retrieve a password connect to the server, then the server
+> > sends the password encrypted for the key of the user, which is decrypted
+> > locally using the private gpg key of the user.
+> > 
+> > When new users are added into a group, they cannot access passwords
+> > immediatly (as it is not encrypted for their keys), so someone needs to
+> > retrieve and save the passwords, to encrypt them for the new users.
+> 
+> This general approach was what I was considering for our work environment.
+> 
+> > So, what do you think about this ? Or maybe someone knows existing tools
+> > that can do this ?
+> 
+> I have not seen any I liked.
+> 
+> Our work environment has a basic inventory database (the primary use was to 
+> generate kickstart files), the web front end is in ... Catalyst (and possibly 
+> try and implement a more complete CMDB). My plan was to integrate the CatDap 
+> features into this (using CatalystX::Features maybe). Adding a shared password 
+> module that could be tied into CatDap and our work webapp would also be 
+> interesting to me.
+> 
+> But, for now, a command-line tool would be adequate.
+> 
+> I will look at the LDAP side (schema, ACLs, suoport for adding GPG public key 
+> from CatDap) over the weekend.
+
+Thanks.
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

+ +
+More information about the Mageia-sysadm +mailing list
+ -- cgit v1.2.1