« Previous 1 2 3 4 Next »
Requirements for centralized password management
Well Secured?
Notifications
Notifications are an essential requirement for access to passwords in emergency password management. Password management solutions that have been developed explicitly for multiuser mode sometimes do not adequately implement this feature. For example, messages related to broken seals are sent only internally in PSE. This means you only see a notification if you are using the program for password management. In general, however, the software is only launched when needed; timely notification of the person responsible is not guaranteed.
Although it is possible to forward all messages sent in PSE to exactly one fixed predetermined email address, a more sensible approach would be to send these email messages to the administrators responsible for the password entries that have been accessed. The Python script shown in Listing 1 does this by reading email from a fixed IMAP account, parsing the messages, and forwarding them to the intended recipient.
Listing 1
Forwarding PSE Messages
001 #!/usr/bin/python 002 003 import imaplib 004 import email 005 import email.mime.text 006 import re 007 import smtplib 008 import pdb 009 import logging 010 011 HOSTNAME = '' 012 USER = '' 013 PASS = '' 014 MAILFROM = '' 015 MAILOUT = '' 016 ADSDOMAIN = '' 017 FOLDER = "INBOX" 018 FOLDERPROCESSED = "INBOX/bearbeitet" 019 FOLDERADMIN = "INBOX/admin" 020 RERECIPIENT = re.compile("^Recipient: (?P<recipient>.+) \(.+$") 021 RESUBJECT = re.compile("^Subject: (?P<subject>.+)$") 022 REUID = re.compile('\d+ \(UID (?P<uid>\d+)\)') 023 024 def send_mail(recipient, subject, text): 025 logging.debug("Sending mail to %s" % recipient ) 026 mail = email.mime.text.MIMEText(text, 'html', 'iso-8859-1') 027 mail["Subject"] = subject 028 mail["From"] = MAILFROM 029 mail["To"] = recipient 030 # reduced by error handling 031 smtp = smtplib.SMTP(MAILOUT, port='587') 032 smtp.ehlo() 033 smtp.starttls() 034 smtp.login(USER, PASS) 035 smtp.sendmail(MAILFROM, recipient, mail.as_string()) 036 smtp.quit() 037 logging.info("Sent mail to %s" % recipient ) 038 039 def move_message(imap, msgid, targetfolder): 040 try: 041 logging.debug("Moving Message %s to folder %s" % ( msgid, targetfolder )) 042 resp, data = imap.fetch(msgid, '(UID)') 043 match = REUID.match(data[0]) 044 msguid = match.group('uid') 045 logging.debug("Found UID %s" % ( msguid )) 046 result = imap.uid('COPY', msguid, targetfolder) 047 if result[0] == "OK": 048 mov, data = imap.uid('STORE', msguid , '+FLAGS', '(\Deleted)') 049 logging.debug("Moved Message %s to folder %s" % ( msgid, targetfolder )) 050 else: 051 logging.warn("Moving message failed, result=%s" % str(result)) 052 except Exception, e: 053 logging.warn("Exception in move_message: %s" % e) 054 055 def resolve_recipient(user): 056 return "%s@%s" % ( user, ADSDOMAIN) 057 058 def main(): 059 logging.basicConfig(level=logging.DEBUG, format='%(asctime)s %(message)s') 060 imap = imaplib.IMAP4_SSL(HOSTNAME) 061 logging.debug("Connected to server %s" % HOSTNAME) 062 imap.login(USER, PASS) 063 logging.debug("Logged in as %s" % USER) 064 imap.select(FOLDER) 065 logging.debug("Changed to folder %s" % FOLDER) 066 resp, msglist = imap.search(None, "ALL") 067 if msglist == ['']: 068 logging.info("No messages found") 069 imap.logout() 070 return 0 071 072 logging.debug("Found %d messages" % len(msglist[0].split(' '))) 073 for msgnum in msglist[0].split(' '): 074 msgnum = int(msgnum) 075 logging.debug("Getting body for ID %d " % msgnum) 076 resp, ((msguid, msgbody), msgflags) = imap.fetch(msgnum, '(RFC822)') 077 try: 078 mimeobj = email.message_from_string(msgbody) 079 except: 080 logging.warn("Could not decode msgnum %d, skipping") % msgnum 081 continue 082 083 # Try parsing the message 084 # Valid mails 085 # - have Subject "New internal password manager message" 086 087 subject = mimeobj["Subject"] 088 if subject == 'New internal password manager message': 089 logging.debug("Message %d has my subject, processing" % msgnum) 090 091 payload = mimeobj.get_payload() 092 recipient = None 093 subject = None 094 095 for line in payload.split("<br>\r\n"): 096 match = RERECIPIENT.match(line) 097 if match: 098 recipient = match.group('recipient') 099 100 match = RESUBJECT.match(line) 101 if match: 102 subject = match.group('subject') 103 104 if recipient and subject: 105 logging.info("Found message to %s: Subject %s" % ( recipient, subject )) 106 if recipient == 'Administrator': 107 move_message(imap, msgnum, FOLDERADMIN) 108 continue 109 110 # Resolve recipient username to a email address 111 rrecipient = resolve_recipient(recipient) 112 logging.debug("Resolved %s to %s" % ( recipient, rrecipient ) ) 113 send_mail(rrecipient, subject, payload) 114 move_message(imap, msgnum, FOLDERPROCESSED) 115 116 imap.expunge() 117 imap.logout() 118 119 if __name__ == '__main__': 120 main()
Additionally, the retrieved email messages are archived in a special folder. The script relies on the fact that the email sent by the PSE to a fixed destination address has a predefined structure and thus can be easily parsed to determine the desired target address for the notification.
Security Concerns
Many security concerns voiced by users can be attributed to a subjective feeling of security. For example, you can expect users to be reluctant to store an encrypted and sealed password in a server-based database, where it is exposed to many potential hazards, such as inadequate encryption, a backdoor, a bug in the product, or an attack that provides the ability to launch a remote exploit against the stored data.
In addition to these subjective security concerns, however, administrators must be quite aware that a central place where the majority of passwords and other access permissions are stored really does represent an attractive target for potential attackers. For this reason, it is important to investigate beforehand whether the selected software solution, and the system on which it is operated, meet your own security requirements.
Because you cannot, with any reasonable overhead, investigate closed source solutions for potential vulnerabilities or intentional backdoors, it is helpful to investigate the manufacturer's security track record. Even open source solutions are usually not free of vulnerabilities, though; some projects are so extensive they cannot be analyzed sufficiently just by reading the code. On the other hand, organization-wide password management solutions are a specialized field that is rarely backed by large and exceptionally active open source communities. Thus, it is also advisable to discover what kind of response times the developers have exhibited in cases of disclosures in the past and what kinds of vulnerabilities needed to be fixed.
In their product descriptions, many manufacturers state that password entries are encrypted with the latest and most secure cryptographic algorithms and then stored in the database. Proving this assertion is, however, very difficult or even impossible. Even in open source solutions, validating the implementation takes a great deal of effort.
Note that the encrypted storage of password entries is only one of several important safety modules. At least as important is the reliable implementation of authorization management and authentication options that reflect your protection needs. For example, two-factor authentication prevents an attacker who has shoulder-surfed a user's password from accessing all of that user's password entries.
Deployment and Operation
In general, you will need to integrate the new software solution into your infrastructure. Thus, one important requirement for the password management solution is that you can import existing passwords into the database easily and without too much overhead. During everyday operation, automating the process of loading recently changed passwords into the database can make life much easier.
This aspect, however, is not so easy to implement. For example, it is impossible to script PSE directly, but you can use a CSV import to bring externally created password lists into the tool. However, these are just imported in their current state and with the default permissions for that location. If you want to seal the passwords or assign some other permissions, you need to do this manually – at least in PSE. Similar software products often lack a feature for editing imported passwords automatically.
Life is also easier if the password management software can perform regularly required password changes itself. On one hand, you need a random password generator that can be adapted to the organization-wide policies regarding password complexity. On the other hand, the software must log in to the managed systems and change the existing password, which requires some complex scripting options. For example, changing a root password on a Linux server via an SSH login is not entirely trivial if the root user cannot log in directly using SSH, and you need to use a non-privileged account in combination with sudo
to do this.
To keep track of potentially hundreds of stored password entries, structuring options are needed; in most products, these are based on groups using an approach that's comparable to creating folder structures on filesystems. Using these options to organize password entries intuitively and making it easy to find them again can be the subject of long discussions. The organizational structure, broken down by division into departments and operating groups, however, can serve as a basis. Figure 3 shows some services at the LRZ as an example.
Alternatively, you could use a service catalog to which the individual servers are assigned. You might already have naming conventions for DNS entries or structuring for other systems, such as an organization-wide Active Directory that users are familiar with. In any case, the password management software should offer an appropriate search function; ideally, you should be able to define several logical views without needing to store password entries multiple times.
« Previous 1 2 3 4 Next »