Requirements for centralized password management

Well Secured?

Notifications

Notifications are an essential requirement for access to passwords in emergency password management. Password management solutions that have been developed explicitly for multiuser mode sometimes do not adequately implement this feature. For example, messages related to broken seals are sent only internally in PSE. This means you only see a notification if you are using the program for password management. In general, however, the software is only launched when needed; timely notification of the person responsible is not guaranteed.

Although it is possible to forward all messages sent in PSE to exactly one fixed predetermined email address, a more sensible approach would be to send these email messages to the administrators responsible for the password entries that have been accessed. The Python script shown in Listing 1 does this by reading email from a fixed IMAP account, parsing the messages, and forwarding them to the intended recipient.

Listing 1

Forwarding PSE Messages

001 #!/usr/bin/python
002
003 import imaplib
004 import email
005 import email.mime.text
006 import re
007 import smtplib
008 import pdb
009 import logging
010
011 HOSTNAME = ''
012 USER = ''
013 PASS = ''
014 MAILFROM = ''
015 MAILOUT = ''
016 ADSDOMAIN = ''
017 FOLDER = "INBOX"
018 FOLDERPROCESSED = "INBOX/bearbeitet"
019 FOLDERADMIN = "INBOX/admin"
020 RERECIPIENT = re.compile("^Recipient: (?P<recipient>.+) \(.+$")
021 RESUBJECT = re.compile("^Subject: (?P<subject>.+)$")
022 REUID = re.compile('\d+ \(UID (?P<uid>\d+)\)')
023
024 def send_mail(recipient, subject, text):
025   logging.debug("Sending mail to %s" % recipient )
026   mail = email.mime.text.MIMEText(text, 'html', 'iso-8859-1')
027   mail["Subject"] = subject
028   mail["From"] = MAILFROM
029   mail["To"] = recipient
030   # reduced by error handling
031   smtp = smtplib.SMTP(MAILOUT, port='587')
032   smtp.ehlo()
033   smtp.starttls()
034   smtp.login(USER, PASS)
035   smtp.sendmail(MAILFROM, recipient, mail.as_string())
036   smtp.quit()
037   logging.info("Sent mail to %s" % recipient )
038
039 def move_message(imap, msgid, targetfolder):
040   try:
041     logging.debug("Moving Message %s to folder %s" % ( msgid, targetfolder ))
042     resp, data = imap.fetch(msgid, '(UID)')
043     match = REUID.match(data[0])
044     msguid = match.group('uid')
045     logging.debug("Found UID %s" % ( msguid ))
046     result = imap.uid('COPY', msguid, targetfolder)
047     if result[0] == "OK":
048       mov, data = imap.uid('STORE', msguid , '+FLAGS', '(\Deleted)')
049       logging.debug("Moved Message %s to folder %s" % ( msgid, targetfolder ))
050     else:
051       logging.warn("Moving message failed, result=%s" % str(result))
052   except Exception, e:
053     logging.warn("Exception in move_message: %s" % e)
054
055 def resolve_recipient(user):
056   return "%s@%s" % ( user, ADSDOMAIN)
057
058 def main():
059   logging.basicConfig(level=logging.DEBUG, format='%(asctime)s %(message)s')
060   imap = imaplib.IMAP4_SSL(HOSTNAME)
061   logging.debug("Connected to server %s" % HOSTNAME)
062   imap.login(USER, PASS)
063   logging.debug("Logged in as %s" % USER)
064   imap.select(FOLDER)
065   logging.debug("Changed to folder %s" % FOLDER)
066   resp, msglist = imap.search(None, "ALL")
067   if msglist == ['']:
068     logging.info("No messages found")
069     imap.logout()
070     return 0
071
072   logging.debug("Found %d messages" % len(msglist[0].split(' ')))
073   for msgnum in msglist[0].split(' '):
074     msgnum = int(msgnum)
075     logging.debug("Getting body for ID %d " % msgnum)
076     resp, ((msguid, msgbody), msgflags) = imap.fetch(msgnum, '(RFC822)')
077     try:
078       mimeobj = email.message_from_string(msgbody)
079     except:
080       logging.warn("Could not decode msgnum %d, skipping") % msgnum
081       continue
082
083     # Try parsing the message
084     # Valid mails
085     # - have Subject "New internal password manager message"
086
087     subject = mimeobj["Subject"]
088     if subject == 'New internal password manager message':
089       logging.debug("Message %d has my subject, processing" % msgnum)
090
091       payload = mimeobj.get_payload()
092       recipient = None
093       subject = None
094
095       for line in payload.split("<br>\r\n"):
096         match = RERECIPIENT.match(line)
097         if match:
098           recipient = match.group('recipient')
099
100         match = RESUBJECT.match(line)
101         if match:
102           subject = match.group('subject')
103
104       if recipient and subject:
105         logging.info("Found message to %s: Subject %s" % ( recipient, subject ))
106         if recipient == 'Administrator':
107           move_message(imap, msgnum, FOLDERADMIN)
108           continue
109
110         # Resolve recipient username to a email address
111         rrecipient = resolve_recipient(recipient)
112         logging.debug("Resolved %s to %s" % ( recipient, rrecipient ) )
113         send_mail(rrecipient, subject, payload)
114         move_message(imap, msgnum, FOLDERPROCESSED)
115
116   imap.expunge()
117   imap.logout()
118
119 if __name__ == '__main__':
120   main()

Additionally, the retrieved email messages are archived in a special folder. The script relies on the fact that the email sent by the PSE to a fixed destination address has a predefined structure and thus can be easily parsed to determine the desired target address for the notification.

Security Concerns

Many security concerns voiced by users can be attributed to a subjective feeling of security. For example, you can expect users to be reluctant to store an encrypted and sealed password in a server-based database, where it is exposed to many potential hazards, such as inadequate encryption, a backdoor, a bug in the product, or an attack that provides the ability to launch a remote exploit against the stored data.

In addition to these subjective security concerns, however, administrators must be quite aware that a central place where the majority of passwords and other access permissions are stored really does represent an attractive target for potential attackers. For this reason, it is important to investigate beforehand whether the selected software solution, and the system on which it is operated, meet your own security requirements.

Because you cannot, with any reasonable overhead, investigate closed source solutions for potential vulnerabilities or intentional backdoors, it is helpful to investigate the manufacturer's security track record. Even open source solutions are usually not free of vulnerabilities, though; some projects are so extensive they cannot be analyzed sufficiently just by reading the code. On the other hand, organization-wide password management solutions are a specialized field that is rarely backed by large and exceptionally active open source communities. Thus, it is also advisable to discover what kind of response times the developers have exhibited in cases of disclosures in the past and what kinds of vulnerabilities needed to be fixed.

In their product descriptions, many manufacturers state that password entries are encrypted with the latest and most secure cryptographic algorithms and then stored in the database. Proving this assertion is, however, very difficult or even impossible. Even in open source solutions, validating the implementation takes a great deal of effort.

Note that the encrypted storage of password entries is only one of several important safety modules. At least as important is the reliable implementation of authorization management and authentication options that reflect your protection needs. For example, two-factor authentication prevents an attacker who has shoulder-surfed a user's password from accessing all of that user's password entries.

Deployment and Operation

In general, you will need to integrate the new software solution into your infrastructure. Thus, one important requirement for the password management solution is that you can import existing passwords into the database easily and without too much overhead. During everyday operation, automating the process of loading recently changed passwords into the database can make life much easier.

This aspect, however, is not so easy to implement. For example, it is impossible to script PSE directly, but you can use a CSV import to bring externally created password lists into the tool. However, these are just imported in their current state and with the default permissions for that location. If you want to seal the passwords or assign some other permissions, you need to do this manually  – at least in PSE. Similar software products often lack a feature for editing imported passwords automatically.

Life is also easier if the password management software can perform regularly required password changes itself. On one hand, you need a random password generator that can be adapted to the organization-wide policies regarding password complexity. On the other hand, the software must log in to the managed systems and change the existing password, which requires some complex scripting options. For example, changing a root password on a Linux server via an SSH login is not entirely trivial if the root user cannot log in directly using SSH, and you need to use a non-privileged account in combination with sudo to do this.

To keep track of potentially hundreds of stored password entries, structuring options are needed; in most products, these are based on groups using an approach that's comparable to creating folder structures on filesystems. Using these options to organize password entries intuitively and making it easy to find them again can be the subject of long discussions. The organizational structure, broken down by division into departments and operating groups, however, can serve as a basis. Figure 3 shows some services at the LRZ as an example.

Figure 3: A folder structure in PSE for passwords and a new password entry.

Alternatively, you could use a service catalog to which the individual servers are assigned. You might already have naming conventions for DNS entries or structuring for other systems, such as an organization-wide Active Directory that users are familiar with. In any case, the password management software should offer an appropriate search function; ideally, you should be able to define several logical views without needing to store password entries multiple times.

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus