RE: AW: Multi-User Access to Password Database

["D N Vaidya" <dnvaidya () rilinfo net>]

Hi Friends,
As we are also using thousands of servers, we are using one methode to
genrate password of the server. That methode is given to all authorised
persons. Methode is based on IP address of that server. But drawback of this
system is every-body in that group who know the methode to genrate password
can access any server. User group wise credentials system is not possible in
this way.

Methode example: say IP of server is 12.12.13.14 then we can concentrate on
last octate because genrally only that part is unique for that machine. In
this case 14 is the last octate. Now we can represent 14 in various formats
as a password of that machine. e.g consider 014 now take ascii equivalent of
these digits and use as a password also we can add first octate at the end
of ascii sequence.

Hope this will help u.

Sincerely,
D.N.Vaidya


-----Original Message-----
From: Birl [mailto:sbirl () temple edu]
Sent: Tuesday, July 15, 2003 9:33 PM
To: security-basics () securityfocus com
Subject: Re: AW: Multi-User Access to Password Database


As it was written on Jul 14, thus John Brightwell spake unto Meidinger...:

John:  Date: Mon, 14 Jul 2003 18:51:02 +0100 (BST)
John:  From: "[iso-8859-1] John Brightwell" <brightwell_151 () yahoo co uk>
John:  To: Meidinger Chris <chris.meidinger () badenit de>,
John:       security-basics () securityfocus com
John:  Subject: Re: AW: Multi-User Access to Password Database
John:
John:  We have a large number of systems each requiring a
John:  different password and I don't expect the sys admins
John:  to be able to remember them all (That's probably 100+
John:  passwords when you take into account network equipment
John:  as well as unix and windows boxes - and that doesn't
John:  include all the desktop machines).
John:
John:  Faced with having to remember that many passwords and
John:  bearing in mind that some systems might not be used on
John:  a daily basis. I think it's expecting a bit much for
John:  the Admins to keep them all in their heads! There's a
John:  danger that they will write down the less used
John:  passwords or maybe they'll reuse passwords across
John:  multiple systems or they'll use easy to guess
John:  passwords (you can be certain there will be a
John:  disincentive to expire the passwords after x months)
John:
John:  I can't see this Board Member being very impressed
John:  with the constant interruption. This would possibly be
John:  more appropriate for a DR solution for password
John:  access. Although I'd perhaps avoid using a very senior
John:  manager or Board member. IMO you need someone senior
John:  enough to be trusted, yet accountable enough not to
John:  ignore the procedures around access to the passwords -
John:  perhaps HR or Legal...but that's another debate.
John:
John:  For what I require - ongoing access to passwords - it
John:  really needs to be a system solution
John:
John:  I suspect that you are talking from the perspective of
John:  a small company - in which case you may have
John:  relatively few systems.
John:
John:  I'm sure there must be products that do this - I was
John:  just hoping that someone listening in on this thread
John:  might have done it before.
John:
John:  Thanks Anyway
John:
John:   --- Meidinger Chris <chris.meidinger () badenit de>
John:  wrote: > Hi John,
John:  >
John:  > how often do these people need to learn new
John:  > passwords?
John:  >
John:  > Most companies that i have been involved with have
John:  > one super-person (usually
John:  > something close to a board member - or in German
John:  > often the Prokurist, no
John:  > idea what that title is called in English) who keeps
John:  > the list and gives
John:  > passwords out on a need to know basis.
John:  >
John:  > There are, in my opinion, many advantages to having
John:  > a human factor in the
John:  > equation rather than relying on machines.
John:  >
John:  > badenIT GmbH
John:  > System Support
John:  >
John:  > Chris Meidinger
John:  > Tullastrasse 70
John:  > 79108 Freiburg
John:  >
John:  >
John:  >
John:  > Dear All
John:  >
John:  > Looking through the archive of secuity newsgroups
John:  > and
John:  > mailing lists it looks as though there have been a
John:  > few
John:  > threads related to personal storage of passwords.
John:  >
John:  > Typically this results in a file or index of
John:  > passwords
John:  > encrypted and protected by a single password.
John:  >
John:  > I need to store a number of passwords and these must
John:  > be available to a group of support personnel and
John:  > engineers.
John:  >
John:  > 1. I don't want to have a single shared password to
John:  > access this data because it gets widely known and
John:  > abused (it's also impossible then to identify who is
John:  > accessing the information)
John:  >
John:  > 2. I want to be able to identify the person
John:  > requesting
John:  > the information so that an audit trail can be
John:  > produced
John:  > (useful to get an idea who knows each password) and
John:  > so
John:  > that only a subset of the passwords are available to
John:  > that user (determined by their need to access the
John:  > equipment)
John:  >
John:  > 3. The database used must securely encrypt the
John:  > password information
John:  >
John:  > I don't particularly want to burden the support staff
John:  > with yet another password, so ideally it would be good
John:  > to use one of the current methods of authentication
John:  > that we use.
John:  > We use ssh so the authentication to the database can
John:  > be based on the ssh private key.
John:  > We use SecurID so the authentication can be based on
John:  > the token (I prefer this one ... it also seems more
John:  > likely than ssh-key based).
John:  >
John:  > Can anyone think of a likely application ... how do
John:  > you store your system passwords?
John:  >
John:  > It doesn't have to be freeware/open source (I've got
John:  > limited coding ability and even more limited time so I
John:  > don't fancy starting from scratch) ... although I
John:  > guess I'd need to be fairly certain that there are no
John:  > backdoors coded into the application (a reputable
John:  > source perhaps)


I typically store my personal passwords in a plain text file located
inside of a PGPDisk.  The PGPDisk being the size of 1024 kilobytes,
formatted as FAT.


This way:
* The passwords are encrypted
* Only 1 password needs to be remembered -- to unlock the PGPDisk
* Small enough to fit on a floppy and lock it way.


Thanks

 Scott Birl                              http://concept.temple.edu/sysadmin/
 Senior Systems Administrator            Computer Services   Temple
University
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*=
===*

---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------