I'm interested in best practices and potential open source projects that would allow my organization to securely store multiple passwords and allow multiple administrators to access them. I'm interested in something that would allow each administrator to have their own login/key versus the typical password protected Excel spreadsheet. ;)
Preferable would be a web based application which I can run over SSL.
I need it to run in a Mac/Linux environment - no Windows apps, please.
Thanks!
We use this : http://sourceforge.net/projects/phppassmanager/ (a little bit modified/tuned)
It's installed on a HTTPS web server with Active Directory authentication to restrict password retrieval to our team. Each member of the team knows a master password used to encrypt all the passwords stored in phppassmanager. They use it when they want to add/modify/read a password. The passwords are stored encrypted in a mysql database.
They potentialy have access to all the passwords but each password decryption is loggued, and the logs are shown to the whole team on the main page. This system is self-monitored and self-managed.
I use KeePass and i'm very happy with it. It's an opensource easy to use password manager.
What exactly are you protecting with this system? Systems you control, or systems run by third parties?
For internal authentication, systems like Kerberos, LDAP or even just sudo and PKI can handle this.
For external authentication, say to a software support website, you're largely hamstrung by whatever system they implement. Tools like KeePass (2.0 kinda works with mono) or PasswordGorilla can store your passwords. I don't think either of them supports any notion of multiple separate decryption passwords; I'm not sure how that could work mathematically.
For what I read so far, any wiki system with database backend (even with file store backend, but I'd prefer db) should solve your problem. Setting proper restrictions on the user accounts, and only the people you trust (admins) will be able to read/modify the pasword lists (in a plain html doc :) ).
Put it behind SSL enabled server, and restrict the access to the database.
PowerBroker is a vendor product designed specifically for controlling/auditing access to shared accounts; however, there is a significant per-host license cost.
I worked at very security-conscious company, and on my team of 5 we used KeePass, because the encryption is strong, it is cross platform and supports importing multiple databases into your own. We stored it on a system that was only accessible through the internal network through SSH logins that required key authentication (no passwords, thanks!).
We use keypass It's quite a cool piece of software, you can organise passwords by catagory. However, I am unsure if you can have different levels of users to log on.
I'm not exactly sure it's what you need, but this works for us: we keep in our SVN a gpg-encrypted text file with all the credentials, encrypted with a common key which we all share. The main advantages to this approach instead of keepassx or similar tools are : 1) one can put free-form information there and 2) gpg --decrypt can be sent to a pipe and used in a terminal.
Sure, this only works for a group of ~10 people, but with a bit of delegation can be scaled up a bit. Also, we actually have two keys and two encrypted files for different access levels, but this doesn't change much.
Oh, and we tend to stay away from handling passwords as much as possible (mainly with personal SSH keys).
I am looking for the exact same thing, and I found 2 that might fit your needs.
Web-KeePass - This seems like it would do what is needed, but I'm still trying to figure out all the options.
corporatevault - It is very basic and in the early stages. The interface isn't finished, but I found it pretty easy to figure out.
I think sysPass is a good choice. It offers: