« Previous 1 2 3 4 Next »
Requirements for centralized password management
Well Secured?
Notifications
Notifications are an essential requirement for access to passwords in emergency password management. Password management solutions that have been developed explicitly for multiuser mode sometimes do not adequately implement this feature. For example, messages related to broken seals are sent only internally in PSE. This means you only see a notification if you are using the program for password management. In general, however, the software is only launched when needed; timely notification of the person responsible is not guaranteed.
Although it is possible to forward all messages sent in PSE to exactly one fixed predetermined email address, a more sensible approach would be to send these email messages to the administrators responsible for the password entries that have been accessed. The Python script shown in Listing 1 does this by reading email from a fixed IMAP account, parsing the messages, and forwarding them to the intended recipient.
Listing 1
Forwarding PSE Messages
001 #!/usr/bin/python
002
003 import imaplib
004 import email
005 import email.mime.text
006 import re
007 import smtplib
008 import pdb
009 import logging
010
011 HOSTNAME = ''
012 USER = ''
013 PASS = ''
014 MAILFROM = ''
015 MAILOUT = ''
016 ADSDOMAIN = ''
017 FOLDER = "INBOX"
018 FOLDERPROCESSED = "INBOX/bearbeitet"
019 FOLDERADMIN = "INBOX/admin"
020 RERECIPIENT = re.compile("^Recipient: (?P<recipient>.+) \(.+$")
021 RESUBJECT = re.compile("^Subject: (?P<subject>.+)$")
022 REUID = re.compile('\d+ \(UID (?P<uid>\d+)\)')
023
024 def send_mail(recipient, subject, text):
025 logging.debug("Sending mail to %s" % recipient )
026 mail = email.mime.text.MIMEText(text, 'html', 'iso-8859-1')
027 mail["Subject"] = subject
028 mail["From"] = MAILFROM
029 mail["To"] = recipient
030 # reduced by error handling
031 smtp = smtplib.SMTP(MAILOUT, port='587')
032 smtp.ehlo()
033 smtp.starttls()
034 smtp.login(USER, PASS)
035 smtp.sendmail(MAILFROM, recipient, mail.as_string())
036 smtp.quit()
037 logging.info("Sent mail to %s" % recipient )
038
039 def move_message(imap, msgid, targetfolder):
040 try:
041 logging.debug("Moving Message %s to folder %s" % ( msgid, targetfolder ))
042 resp, data = imap.fetch(msgid, '(UID)')
043 match = REUID.match(data[0])
044 msguid = match.group('uid')
045 logging.debug("Found UID %s" % ( msguid ))
046 result = imap.uid('COPY', msguid, targetfolder)
047 if result[0] == "OK":
048 mov, data = imap.uid('STORE', msguid , '+FLAGS', '(\Deleted)')
049 logging.debug("Moved Message %s to folder %s" % ( msgid, targetfolder ))
050 else:
051 logging.warn("Moving message failed, result=%s" % str(result))
052 except Exception, e:
053 logging.warn("Exception in move_message: %s" % e)
054
055 def resolve_recipient(user):
056 return "%s@%s" % ( user, ADSDOMAIN)
057
058 def main():
059 logging.basicConfig(level=logging.DEBUG, format='%(asctime)s %(message)s')
060 imap = imaplib.IMAP4_SSL(HOSTNAME)
061 logging.debug("Connected to server %s" % HOSTNAME)
062 imap.login(USER, PASS)
063 logging.debug("Logged in as %s" % USER)
064 imap.select(FOLDER)
065 logging.debug("Changed to folder %s" % FOLDER)
066 resp, msglist = imap.search(None, "ALL")
067 if msglist == ['']:
068 logging.info("No messages found")
069 imap.logout()
070 return 0
071
072 logging.debug("Found %d messages" % len(msglist[0].split(' ')))
073 for msgnum in msglist[0].split(' '):
074 msgnum = int(msgnum)
075 logging.debug("Getting body for ID %d " % msgnum)
076 resp, ((msguid, msgbody), msgflags) = imap.fetch(msgnum, '(RFC822)')
077 try:
078 mimeobj = email.message_from_string(msgbody)
079 except:
080 logging.warn("Could not decode msgnum %d, skipping") % msgnum
081 continue
082
083 # Try parsing the message
084 # Valid mails
085 # - have Subject "New internal password manager message"
086
087 subject = mimeobj["Subject"]
088 if subject == 'New internal password manager message':
089 logging.debug("Message %d has my subject, processing" % msgnum)
090
091 payload = mimeobj.get_payload()
092 recipient = None
093 subject = None
094
095 for line in payload.split("<br>\r\n"):
096 match = RERECIPIENT.match(line)
097 if match:
098 recipient = match.group('recipient')
099
100 match = RESUBJECT.match(line)
101 if match:
102 subject = match.group('subject')
103
104 if recipient and subject:
105 logging.info("Found message to %s: Subject %s" % ( recipient, subject ))
106 if recipient == 'Administrator':
107 move_message(imap, msgnum, FOLDERADMIN)
108 continue
109
110 # Resolve recipient username to a email address
111 rrecipient = resolve_recipient(recipient)
112 logging.debug("Resolved %s to %s" % ( recipient, rrecipient ) )
113 send_mail(rrecipient, subject, payload)
114 move_message(imap, msgnum, FOLDERPROCESSED)
115
116 imap.expunge()
117 imap.logout()
118
119 if __name__ == '__main__':
120 main()
Additionally, the retrieved email messages are archived in a special folder. The script relies on the fact that the email sent by the PSE to a fixed destination address has a predefined structure and thus can be easily parsed to determine the desired target address for the notification.
Security Concerns
Many security concerns voiced by users can be attributed to a subjective feeling of security. For example, you can expect users to be reluctant to store an encrypted and sealed password in a server-based database, where it is exposed to many potential hazards, such as inadequate encryption, a backdoor, a bug in the product, or an attack that provides the ability to launch a remote exploit against the stored data.
In addition to these subjective security concerns, however, administrators must be quite aware that a central place where the majority of passwords and other access permissions are stored really does represent an attractive target for potential attackers. For this reason, it is important to investigate beforehand whether the selected software solution, and the system on which it is operated, meet your own security requirements.
Because you cannot, with any reasonable overhead, investigate closed source solutions for potential vulnerabilities or intentional backdoors, it is helpful to investigate the manufacturer's security track record. Even open source solutions are usually not free of vulnerabilities, though; some projects are so extensive they cannot be analyzed sufficiently just by reading the code. On the other hand, organization-wide password management solutions are a specialized field that is rarely backed by large and exceptionally active open source communities. Thus, it is also advisable to discover what kind of response times the developers have exhibited in cases of disclosures in the past and what kinds of vulnerabilities needed to be fixed.
In their product descriptions, many manufacturers state that password entries are encrypted with the latest and most secure cryptographic algorithms and then stored in the database. Proving this assertion is, however, very difficult or even impossible. Even in open source solutions, validating the implementation takes a great deal of effort.
Note that the encrypted storage of password entries is only one of several important safety modules. At least as important is the reliable implementation of authorization management and authentication options that reflect your protection needs. For example, two-factor authentication prevents an attacker who has shoulder-surfed a user's password from accessing all of that user's password entries.
Deployment and Operation
In general, you will need to integrate the new software solution into your infrastructure. Thus, one important requirement for the password management solution is that you can import existing passwords into the database easily and without too much overhead. During everyday operation, automating the process of loading recently changed passwords into the database can make life much easier.
This aspect, however, is not so easy to implement. For example, it is impossible to script PSE directly, but you can use a CSV import to bring externally created password lists into the tool. However, these are just imported in their current state and with the default permissions for that location. If you want to seal the passwords or assign some other permissions, you need to do this manually – at least in PSE. Similar software products often lack a feature for editing imported passwords automatically.
Life is also easier if the password management software can perform regularly required password changes itself. On one hand, you need a random password generator that can be adapted to the organization-wide policies regarding password complexity. On the other hand, the software must log in to the managed systems and change the existing password, which requires some complex scripting options. For example, changing a root password on a Linux server via an SSH login is not entirely trivial if the root user cannot log in directly using SSH, and you need to use a non-privileged account in combination with sudo to do this.
To keep track of potentially hundreds of stored password entries, structuring options are needed; in most products, these are based on groups using an approach that's comparable to creating folder structures on filesystems. Using these options to organize password entries intuitively and making it easy to find them again can be the subject of long discussions. The organizational structure, broken down by division into departments and operating groups, however, can serve as a basis. Figure 3 shows some services at the LRZ as an example.
Figure 3: A folder structure in PSE for passwords and a new password entry.
Alternatively, you could use a service catalog to which the individual servers are assigned. You might already have naming conventions for DNS entries or structuring for other systems, such as an organization-wide Active Directory that users are familiar with. In any case, the password management software should offer an appropriate search function; ideally, you should be able to define several logical views without needing to store password entries multiple times.
« Previous 1 2 3 4 Next »
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Centralized Password Management
Time and again, situations arise in which admins need access to a system they do not otherwise manage. But, do you want to hand over responsibility for password management to a centralized software? What capabilities must that software have?
-
Lithnet Password Protection for Active Directory
Lithnet Password Protection for Active Directory provides flexible rules beyond that possible with group policies alone and prevents the use of previously compromised passwords. -
Test your system to help fight phishing attacks
The Gophish phishing framework lets you set up your own phishing campaigns to identify vulnerabilities and make users aware of these dangers. -
New versions of the Endian and Sophos UTM solutions
UTM systems combat all kinds of dangers under the policy of Unified Threat Management. The demands and expectations of customers fuel competition. Two of the most popular manufacturers – Endian and Sophos – have now released new versions of their solutions. -
Save money with Samba as the domain controller on a legacy Windows NT-style domain
Samba can act as a PDC or BDC on a Windows NT4-style domain. Compared with a Windows-only solution, Samba saves money on licensing, and users can log in from Linux or OS X.