[unisog] Admin Password Management

Marc Wallman mwallman at rutabaga.cc.ndsu.nodak.edu
Wed Feb 23 15:01:11 GMT 2005


On Tue, 22 Feb 2005, Chris Green wrote:

> How do people ensure that admin passwords stay up to date, especially as
> part of restoration procedures?  The popular method here has been to have a
> text file per group delivered to a safe with Director level access.  The big
> problem with this is auditing the passwords and ensuring that everyone
> coughs up the goods each round of change.
>
> http://www.e-dmzsecurity.com/par.html seems like an interesting idea.  Not
> sure I'd trust a new webapp enough to perform this function.
>
> Does anyone have solutions in place other than a cron job reminder to
> administrators? :)

We use GNU Privacy Guard to encrypt text files with admin
passwords. The files are encrypted with the public of keys of
only those system administrators who need access. We keep one file
per host. The file contains passwords for both system accounts and
accounts within applications (e.g. databases). We have developed
some scripts to make it easy to encrypt/decrypt these files with
all the necessary keys. I can provide more information if people are
interested.

Our policies state that sysadmins need to updated these files
whenever a password changes. I follow up on this during weekly
meetings to be sure that any maintenance that involves a password
change results in these files getting updated.
-- 

Marc Wallman
Senior Systems Administrator
Information Technology Services
North Dakota State University
Marc.Wallman at ndsu.edu
(701) 231-7168



More information about the unisog mailing list