[nycbug-talk] password repository

Isaac Levy ike at lesmuug.org
Thu Dec 31 13:47:16 EST 2009

On Dec 30, 2009, at 4:19 PM, nikolai wrote:

>> On Dec 30, 2009, at 2:50 PM, Chris Snyder wrote:
>>> On Wed, Dec 30, 2009 at 2:35 PM, Okan Demirmen <okan at demirmen.com>
>>> wrote:
>>>> truecrypt is analogues to disk/volume encrypting bits we already
>>>> have in
>>>> bsd - but it doesn't help if this image is mounted on a server
>>>> somewhere..and say someone doesn't un-mount it after use...
>>> Sort of. The point of using something cross-platform is that devs /
>>> admins mount the image locally on their Win/Mac workstations. And you
>>> don't need to explain openssl to the Windows guys...
>> Just to be clear- Is that the only benefit of Truecrypt, Windows
>> compatibility?  I've never used it and I'm just curious...  (perhaps I
>> should *try* it)
>> I've been watching this thread but since we're a totally UNIX shop,
>> I'm leaning towards nikolai's OpenSSL/Version-Repo answer...  A very
>> UNIX-ish approach to solving the problem.  Mix it with some commit
>> emails from your Version Repo of choice, or toss some more pipes into
>> there, or script out more parts, and viola- the solution gains
>> features very cheaply... :)
> Hmm, what's wrong with a private cvs/svn/git/whatever repository
> for admin group only where password file(s) are stored in *clear text*?
> Diffs are priceless :)
> Put it onto encrypted slice/file to prevent single-user snoop?
> Backup encrypted data? I know there's always a trade-off.
> --
> Nikolai

Ostensibly, that secure/isolated repo is what I've seen in many IT/Sec groups at various institutions- storage for everything save for a couple of most critical resources, (Sr. Admins private SSH Key info, any 'master-key' type credentials, and of course- the cridentials for rooting the repo itself...)

Not a bad strategy- it at least scales fast/well.

On Dec 30, 2009, at 9:31 PM, Josh Rivel wrote:

> How about Password Safe? http://passwordsafe.sourceforge.net/
> There are Linux clients, Windows, Mac, and some CLI stuff as well.  Setup a passphrase for unlocking the "safe" and you can use it with Windows/Mac/Linux and there are GUI's for them as well.
> I use it at work between Windows and Linux (The encrypted safe file is actually on my Windows home file share which is backed up, etc.) and I access it from my Linux workstation with no issues.
> Hope this is useful....
> Josh

Killer.  I'm gonna' check this out asap!

It reminds me of a tangent, something I use so much I forget about it, Apple's Keychain.app (and system keychain).  Off-topic for the BSD list, but interesting and germane to this thread IMHO:

Keychain.app is Apple-specific, and to my knowledge not open, (something which has urked me for years- limits my trust and use of it), but it has some notable features:

- The keychains themselves are separate from the GUI Keychain.app, and are used to store nearly all user cridentials- built into every apple app, (Mail, Web Passwords, SSL Certs, whatever).
- The Keychain.App has the ability to add ad-hock text notes.
- The Copy/Paste/Find buffers are separated from the rest of Apple's GUI text frameworks, though features are there for searching for the cridential title- (not the secret contents), so the GUI app is one of the more interestingly secured GUI things I've seen.
- Keychains can be auto-locked, whereby apps need to ask permission (and have you unlock the keychain) in order to continue to access a given resource on the keychain.

The cruddy part, is that Apple doesn't really document it very well, all the info that means something about it these days is strewn about across the web:

There's a ton of info about it in the old MacOSX Security book, mostly all the same:

With all that, the Apple keychains are just files, which I have used with others in group environments- and I've wanted to get away from using it since it's Apple-specific.


More information about the talk mailing list