Differences

This shows you the differences between two versions of the page.

Link to this comparison view

rb:pwsafe [05/09/2019 11:11] (current)
andrew created
Line 1: Line 1:
 +====== Password Safe ======
 +
 +{{:​rb:​passwordsafe.jpg?​direct&​100 |Not this Password Safe!}}
 +Although most work done as root is done via sudo, there are times when it is necessary to 
 +have access to the root password. (Generally for recovery scenarios).
 +
 +To allow secure storage of the root passwords and ILO/ALOM passwords, pwsafe (http://​nsd.dyndns.org/​pwsafe/​ has been installed on mon01 and dev01, it seems to be a derivitave of Counterpane'​s Passwordsafe. The homepage of the project is [[http://​sourceforge.net/​projects/​pwsafe/​]]\\
 +
 +The pw database is synchronised once per hour from mon01 to dev01 for redundancy.
 +A new user pwsafe has been added to both machines.
 +
 +The pwsafe password must not be recorded anywhere it could be revealed, as its loss could potentially compromise all our systems.\\
 +
 +Log in and su to pwsafe user. /​home/​pwsafe/​bin contains the pwsafe application,​ examples of use are below:-
 +
 +To see the usernames (servers) stored in pwsafe:-
 +
 +  [pwsafe@dev01 bin]$ ./pwsafe -l
 +  WARNING: pwsafe unable to use secure ram (need to be setuid root)
 +  Enter passphrase for /​home/​pwsafe/​db/​.pwsafe.dat:​ <​Passphrase>​
 +  app01  -  root
 +  app01-alom ​ -  admin
 +  ....edited list....
 +  ​
 +To see the password for a particular user (server):-
 +
 +  [pwsafe@dev01 bin]$ ./pwsafe -u app01 -p -E  (or pwsafe -p mon01 )
 +  Going to print login and password to stdout ​ <​---------------------Note,​ this will print out so anyone can see!!
 +  WARNING: pwsafe unable to use secure ram (need to be setuid root)
 +  Enter passphrase for /​home/​pwsafe/​db/​.pwsafe.dat:​ <​Passphrase>​
 +  username for app01: root
 +  password for app01: topsecret (not really!)
 +  [pwsafe@dev01 bin]$
 +
 +Useful switches:-
 +  ​
 +  -l                         long listing (show username & notes)
 +  -p, --password ​            emit password of listed account
 +  -u, --username ​            emit username of listed account
 +  -E, --echo ​                force echoing of entry to stdout
 +
 +
 +====== Password Generators ======
 +
 +Passwords do not have to be really long or excessively complex to be secure, see:- 
 +[[http://​www.baekdal.com/​insights/​password-security-usability]]
 +
 +Strong passwords can be created with the pwgen utility:-
 +
 +  [pwsafe@mon01 ~]$   pwgen 8 10 -1
 +  ea2HieGh
 +  Thue4Voh
 +  uNee3eek
 +  xoNivo4c
 +  ​
 +
 +
 +====== Prevent Password ageing ======
 +
 +''​chage'' ​ changes ​ the  number of days between password changes and the date of the last password change.
 +
 +  [root@build02 ~]# chage -I -1 -m 0 -M 99999 -E -1 <​USERNAME>​
 +  ​
 +where:-
 +
 +  ​
 +    -d, --lastday LAST_DAY ​       set date of last password change to LAST_DAY
 +    -E, --expiredate EXPIRE_DATE ​ set account expiration date to EXPIRE_DATE
 +    -h, --help ​                   display this help message and exit
 +    -I, --inactive INACTIVE ​      set password inactive after expiration
 +                                  to INACTIVE
 +    -l, --list ​                   show account aging information
 +    -m, --mindays MIN_DAYS ​       set minimum number of days before password
 +                                  change to MIN_DAYS
 +    -M, --maxdays MAX_DAYS ​       set maximim number of days before password
 +                                  change to MAX_DAYS
 +    -W, --warndays WARN_DAYS ​     set expiration warning days to WARN_DAYS
 +
 +
  

rb/pwsafe.txt ยท Last modified: 05/09/2019 11:11 by andrew