To allow secure storage of the root passwords and ILO/ALOM passwords, pwsafe (http://nsd.dyndns.org/pwsafe/ has been installed on mon01 and dev01, it seems to be a derivitave of Counterpane's Passwordsafe. The homepage of the project is http://sourceforge.net/projects/pwsafe/
The pw database is synchronised once per hour from mon01 to dev01 for redundancy. A new user pwsafe has been added to both machines.
The pwsafe password must not be recorded anywhere it could be revealed, as its loss could potentially compromise all our systems.
Log in and su to pwsafe user. /home/pwsafe/bin contains the pwsafe application, examples of use are below:-
To see the usernames (servers) stored in pwsafe:-
[pwsafe@dev01 bin]$ ./pwsafe -l WARNING: pwsafe unable to use secure ram (need to be setuid root) Enter passphrase for /home/pwsafe/db/.pwsafe.dat: <Passphrase> app01 - root app01-alom - admin ....edited list....
To see the password for a particular user (server):-
[pwsafe@dev01 bin]$ ./pwsafe -u app01 -p -E (or pwsafe -p mon01 ) Going to print login and password to stdout <---------------------Note, this will print out so anyone can see!! WARNING: pwsafe unable to use secure ram (need to be setuid root) Enter passphrase for /home/pwsafe/db/.pwsafe.dat: <Passphrase> username for app01: root password for app01: topsecret (not really!) [pwsafe@dev01 bin]$
-l long listing (show username & notes) -p, --password emit password of listed account -u, --username emit username of listed account -E, --echo force echoing of entry to stdout
Passwords do not have to be really long or excessively complex to be secure, see:- http://www.baekdal.com/insights/password-security-usability
Strong passwords can be created with the pwgen utility:-
[pwsafe@mon01 ~]$ pwgen 8 10 -1 ea2HieGh Thue4Voh uNee3eek xoNivo4c
Prevent Password ageing
chage changes the number of days between password changes and the date of the last password change.
[root@build02 ~]# chage -I -1 -m 0 -M 99999 -E -1 <USERNAME>
-d, --lastday LAST_DAY set date of last password change to LAST_DAY -E, --expiredate EXPIRE_DATE set account expiration date to EXPIRE_DATE -h, --help display this help message and exit -I, --inactive INACTIVE set password inactive after expiration to INACTIVE -l, --list show account aging information -m, --mindays MIN_DAYS set minimum number of days before password change to MIN_DAYS -M, --maxdays MAX_DAYS set maximim number of days before password change to MAX_DAYS -W, --warndays WARN_DAYS set expiration warning days to WARN_DAYS