Managing secure passwords can be difficult enough for the average computer user, but for system administrators who are responsible for the maintenance of multiple servers it can be a nightmare, particularly when passwords have to be shared across a team who have different levels of access. Storing root passwords, FTP account passwords, SSH passwords, and passwords for third party cloud services in a way that’s secure, allows for quick revocation of access, and doesn’t rely on writing them all down on a sticky note requires a bit of planning.
Fortunately there are a number of solutions available to the problem of maintaining and managing passwords across a team.
Don’t Use Passwords At All
Passwords are not the most secure form of access control, and when they can be avoided it’s better to use alternative methods.
One of the most common tasks of system administrators is accessing servers over SSH. While this can obviously be done with passwords, it’s far better to use SSH keys. Generating an SSH key for staff members and adding their public key to the servers they need to access is more secure than sharing passwords between multiple members of staff and it allows access to be quickly revoked by removing the keys.
Rather than distributing the root password to a Linux server, it is safer to give the team or its individual members a user account and add that account to the sudoers file. Accounts in sudoers are able to escalate their permissions to the “root” level using the “sudo” command without having access to the root password. This has the advantages that the sudoers file can be distributed to multiple machines, permissions can be delegated on a fairly fine grained level, access attempts and commands are logged with the possibility of logging to a central host, and access can be revoked by removing an account from the file.
KeePass is an open source password manager that holds an encrypted database of passwords and can allow remote access via either a master password or with keys, It’s available for Windows, Mac, and Linux, and has various third-party apps for iOS, Android, and Blackberry.
phpPasswordManager is a web-based password management solution that allows for the creation of multiple different accounts, each encrypted with a different master key.
LastPass is a commercial password locker. It has an enterprise offering that includes many of the features that sysadmins and other companies need to securely manage passwords. It allows for the creation of multiple accounts that have access to a central secure password repository. Lastpass has an almost ubiquitous presence across platforms including Linux, OS X, and Windows, as well as numerous mobile devices. LastPass also provides the capability to implement two-factor authentication with YubiKey, Google Authenticator, and fingerprint scanners.
How do you manage distributing and managing passwords across your sysadmin teams. Let us know in the comments.
Also published on Medium.