[119449] in North American Network Operators' Group
Re: Password repository
daemon@ATHENA.MIT.EDU (Bret Clark)
Thu Nov 19 09:26:29 2009
From: Bret Clark <bclark@spectraaccess.com>
To: gordslater@ieee.org
In-Reply-To: <1258639633.13750.77.camel@ub-g-d2>
Date: Thu, 19 Nov 2009 09:25:41 -0500
Cc: NANOG <nanog@nanog.org>
Reply-To: bclark@spectraaccess.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Don't recall if it was mention but we use a nice little app called MyPMS
http://lvoware.com/. Put it on an internal system and then people have
to access via a VPN connection to browse into it. That way if a person
is no longer with the company, then their VPN has been turned off and
they don't have access to it anymore. The reason I like the app is it's
OS agnostic for the end user and keeps the data in an SQL DB.=20
On Thu, 2009-11-19 at 14:07 +0000, gordon b slater wrote:
> On Wed, 2009-11-18 at 20:49 -0800, Darren Bolding wrote:
> > Pwman
>=20
> ...which has the HUGE advantage of being CLI (so useable over SSH
> sessions from network devices) and has tagging for searching large
> databases of passes. pwman3 is current version. For most OSs.=20
> I've even used it looped through a multitude of nested VTY+SSH+screen
> sessions - one of which was a Dropbear sshd and client on a 20$ plastic
> CPE - to save my sorry *ss =20
>=20
> For GUIs:-
> Keepassx for most OSs, and Keepass2.x on MS Windows
> Password Gorilla is a nice one for end-users, most OSs
>=20
> Bruce's Passwordsafe format is a somewhat de-facto standard for
> import/export. Keepass can do a lot of conversion for you.=20
> Some shops use rsync top distribute the masters and set them readonly at
> filesystem - level though this tends to preclude regular rotation and
> updating.=20
>=20
> Beware that some of the commercial offerings are trivially broken or
> otherwise borked for "work" use. ymmv
>=20
> Whatever you use dump the file to a flat file (crypted of course) and
> save a statically linked version of the app for those "wow - what
> password app did we use way back in 2001?" moments.
>=20
> Print a copy every month or so and store securely offsite too - all the
> usual caveats apply. Once you have a super-duper app for them you tend
> to crank the pw complexity up to a level where no-one can remember
> anything nor even recognise regular ones; it's mainly cut and paste,
> especially if you use X.
>=20
>=20
> Unless of course, the OP meant RADIUS pulling on LDAP, PAM, etc ?=20
>=20
> Gord
>=20
> --
> rommon 3 > You have reached the gateway of last resort. Abandon hope all
> ye who press enter here
>=20
>=20
>=20
