[TriLUG] Password Security
flanagannc at gmail.com
Mon Jul 23 21:14:15 EDT 2007
With a decent system you can have a shared password that is only partially
written down, here's how we managed passwords for over a hundred systems
across 6 admins.
All passphrases were a two part deal.
a "magic word" for the site or group of systems, must be 8 characters,
not one word.
This part can be kept in a list in your wallet, system/group and magic
a date, surrounded by dollar signs. IE: $17-Nov-1957$
This is communicated around, usually by email, every month when it's
Resulting password: BigCustomerOne$17-Nov-1957$
The two parts of the passphrase are never in the same place.
This scheme worked pretty well, that way you could carry around a list of
two things, with no context, and have the other half of the message in your
head, assemble the full one on demand.
It worked for us....
On 7/23/07, Ron Joffe <rjoffe at yahoo.com> wrote:
> In addition to Linux logins we have a large number of other types of
> usernames/passwords to keep track of. This includes everything from oracle
> logons, vnc passwords, vpn tunnel authentication, Application passwrods,
> Windows domain logons, etc etc etc. We work in quite a complex multi
> application environment, and we have 10 completely separate clients to
> The solution we are looking for can not be handled purely by sudo, PAM,
> Although I appreciate the pointers, we are looking for a far wider
> for password management.
> On Monday 23 July 2007 18:53, Andrew C. Oliver wrote:
> > Linux authentication can take place with a series of stackable modules
> > via PAM (http://www.kernel.org/pub/linux/libs/pam/modules.html). There
> > are all manner of modules that could authenticate against some internet
> > accessible server (be careful to encrypt the stream, avoid DNS, etc).
> > You could ask that customers maintain some pam module that uses your
> > directory server (LDAP or otherwise) and your admins could just login
> > using their normal username. They could also be listed in Sudo
> > http://en.wikipedia.org/wiki/Sudo so they could always become root. In
> > fact on Ubuntu, an ever popular linux distribution, you generally create
> > a user account and it has sudo access. You generally don't actually
> > ever type the root password.
> > -Andy
> > Ron Joffe wrote:
> > > On Monday 23 July 2007 14:28, Andrew C. Oliver wrote:
> > >>> Now what do you do when you have to keep a list of passwords sync'd
> > >>> between a set of support technicians ?
> > >>
> > >> This is a REALLY bad idea procedurally to share a set of passwords
> > >> between users if that is what you mean.
> > >
> > > I have 4 people responsible for after hours support on a growing
> > > of client systems. Could you please post your suggestions as to how
> > > all should gain privs on those servers? I have my own ideas, but
> > > then taint your answer, I would like to get a fresh perspective.
> > >
> > > Thanks,
> > >
> > > Ron
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
Doing my part to piss off the religious right.
More information about the TriLUG