[unisog] designing a password management system for privileged accounts
cmgreen at uab.edu
Thu Oct 20 15:39:40 GMT 2005
On 10/19/05 6:58 PM, "Russell Fulton" <r.fulton at auckland.ac.nz> wrote:
> 1/ provide secure central storage and management of passwords
> 2/ provide controlled (authorized) and audited access to the password
> though a web front end. Later we may write a 'fat' client that does
> nice things like put the retrieved password onto the clipboard.
> 3/ provide automated change of passwords according to a customizable
> 4/ allow privileged users to reset passwords etc.
> 5/ will provide time limited access to particular passwords for
> particular users. (e.g. contractors coming in to work on a system)
> 6/ enforce password 'quality' standards by using randomly generated
> 7/ All passwords will be encrypted with one or more master keys for DR
> 8/ All passwords stored on the server will be encrypted with the public
> key of the users who are allowed access to them.
Glad to see someone intends to do this ;)
If passwords stored on the server are encrypted with the authorized user's
public keys, where do their private keys reside for the decryption process?
Is the private key a passphrase that the administrator remembers?
The system should store "old" passwords to prevent reuse.
For our groups that occasionally need the local Administrator password for a
series of desktops, I've thought about having something where the master
password was shared, but then computed with the system-name into a hash that
creates the individual administrator password.
One case to think about:
2 directors that have password access to everything
All the systems are entered into the system in the right "group"
A new "director" is added, do all systems have to have passwords reset or
is there a mechanism to add director or group member without needing the
Automated password change should also be available on demand (terminated
That's all I can think of right now but if you get further into specifying
what the system should do, I'd love to help review it.
UAB Data Security, 5-0842
More information about the unisog