[Mageia-sysadm] Saving and sharing passwords in mageia teams

nicolas vigier boklm at mars-attacks.org
Fri Feb 18 22:45:02 CET 2011 

Hello,

We often need to register some accounts on various websites for the
Mageia project (domain name registration, twitter, identica, etc ...).
And we need to be able to share the account informations (login and
password) with other people inside teams. So we need something like a
password database, with permissions to restrict access to only some
people or groups of people. We can store this database on Mageia servers,
but I think it should be encrypted, so that root access on the server
does not give access to the passwords.

I have looked at existing tools, but didn't find one that would allow 
us to do this easily. So I'm thinking about writting some scripts to do 
it. It would work like this :

 - all users first need to upload their gnupg public key in ldap
 - we have a command to create a password on the server, with a list
   of groups/users who can access this password :
    $ mgapassword create passwdname %group1 %group2 user1 user2 ...
 - a command to save the value of a password :
    $ mgapassword set passwdname < value
      or
    $ mgapassword edit passwdname
 - an other command to retrieve a password :
    $ mgapassword get passwdname 
 - a command to list the passwords you can access :
    $ mgapassword list

All commands connect to the server using ssh and the ldap account. When 
saving a password, the client ask to the server the list of gpg keys of 
all users who should have access to the password, then encrypt the 
password with all keys and send it encrypted to the server.

The command to retrieve a password connect to the server, then the server 
sends the password encrypted for the key of the user, which is decrypted
locally using the private gpg key of the user.

When new users are added into a group, they cannot access passwords
immediatly (as it is not encrypted for their keys), so someone needs to
retrieve and save the passwords, to encrypt them for the new users.

So, what do you think about this ? Or maybe someone knows existing tools
that can do this ?

Nicolas

More information about the Mageia-sysadm mailing list