From: John Brightwell <[EMAIL PROTECTED]> Mmmm I must be phrasing my question badly... The majority of responses seem to suggest storing All the passwords in a file (or database) protected by a shared password. As I mentioned in my email this isn't suitable because
1. Anyone who requires access to the file/database for a specific purpose has access to All of the passwords (even if they never need to know them)... so, if they leave the company All the passwords need to be changed.
That's why several of the people suggested having seperate databases for each admin.
2. There's no audit trail to indicate who has had access to the passwords - the access is provided by a single password known to all the Admins ... (and anyone else who gets to hear of it). So if someone leaves the company you have to assume they've seen the passwords and change them all.
3. If the password for access to the file/database becomes known (or if it's even suspected that it's known) then All the passwords have to be changed.
As you can see, in all of the above cases there's a lot of admin involved. If you're a small shop with only a couple of Admins who need to access all equipment then maybe this isn't an issue. But if you've got a lot of admins (who each require access to a varied group of equipment) then you've got a problem on your hands. Sure you could have a different file/database for each group of equipment but some Admins may require access to the lot...so do they have to remember the password for every password file/dtatbase ... or do you have the same password in multiple files/databases (in which case updating becomes an issue).
So what I hoped for was: A multi-user database The user (admin) uniquely authenticates to the database (with their own password or, preferably, their ssh key or SecurID token) The user can only access specific records (passwords) which relate to the equipment for which they have responsibility. Every access creates an audit trail showing who accessed a specific record. Obviously the actual data is protected by encryption
If a password is changed on the equipment it is only changed in the one database (and the audit trail can even be used to notify those users who have recently accessed the old password).
If a user (admin) leaves, then any passwords for which they have access should be changed (from the audit trail the actual passwords that they have looked up can be identified and these can be changed as a priority)
If it is suspected that a user's authentication has become compromised then only those passwords for which he/she has access need be changed (and the exposure of risk is limited to those machines)
Thom's response caught the flavour and maybe that's the solution - in effect giving each admin their own database for the passwords that they need to know. Of course, you lose the audit and the ability update passwords easily but it's certainly closer then a shared file.
Thanks for all your responses though - if anyone comes up with a database solution I'm gagging to hear :-)
Sounds like you're going to have to create something. You're probably going to have to write a custom app, perhaps a MySQL + Perl/Tk combo would do the trick? Perl has some pretty easy to use encryption modules, should be fairly simple to set up what you're looking for, probably less than a week of coding by one of your staff.
Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates
"The number of the beast � vi vi vi." --Delexa Jones
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
