1

I have a some software that uses its own encrypted file for password storage ( such as ftp, web and other passwords to login to external systems, there is no way to use certificates ).

On each server I've several instances of this software, each instance has its own password file.

At the moment number of servers is permanently growing and it's getting harder and harder to manage all passwords on all instances up to date.

Unfortunately, some servers are in cegregated network and there is no access from them to some centralized storage, but it works vice versa.

My first idea was to create a git repository, encrypt each password with gpg and store it there and deliver it within deployment system, but security team was not satisfied with this idea and as it is insecure to store passwords in repository even in encrypted view ( from their words ).

Nothing similar comes to my mind. Is there any way to implement safe and secure password storage with minimal effort to manage all passwords up-to-date?

ps. if that matters I've red hat everywhere.

rush
  • 1,961
  • 2
  • 15
  • 22
  • If this software supports some other form of authentification, you could go for ldap with replication or a replicated database. Replication would be built-in already. – mgabriel Jun 23 '13 at 18:53

3 Answers3

3

You could have a look at FreeIPA which makes use of LDAP and kerberos to authenticate users. It is a fairly complete and vast system, but it does work.

Here is some of what Wikipedia writes about it:

FreeIPA is a Red Hat sponsored open source project which aims to provide an easily managed Identity, Policy and Audit (IPA) suite primarily targeted towards networks of Linux and Unix computers. FreeIPA can be compared to Novell's Identity Manager or Microsoft's Active Directory in that the goals and mechanisms used are similar.

slm
  • 7,355
  • 16
  • 54
  • 72
espenfjo
  • 1,676
  • 2
  • 13
  • 15
1

While this may be a bit of a non-answer, maybe you can split the difference. On the largest network or the master copy (maybe the one with the most updates), put the file on shared storage. That will at least solve one of your network domains.

It sounds like you can push to the network but not cross mount (???). That's kind of strange, I would expect the networks to be physically distinct, unless you're making reference to some kind of software deployment. If you have a firewall solution, you could set up the central storage to be mounted by the client hosts, and make sure that is the only volume it can access via your export rules.

Otherwise, run a replication schedule. Depending how much manual work is involved in the cross syncs, maybe you should setup a replication of sorts. Let your users know the passwords will only be changed on the master system every so often, and then overwrite the other systems.

slm
  • 7,355
  • 16
  • 54
  • 72
Cody
  • 163
  • 3
1

If you need to have something on a number of nodes at the same time, writable from all nodes and readable from all nodes, and without access to a central storage system, you should have a look at ceph (http://ceph.com/). Ceph is a distributed object store which provides a file system for standard access by applications that you cannot adapt.

If Ceph as a distributed file system is not you solution, for whatever reason, you can have a look at some other distributed file systems in Linux.

http://en.wikipedia.org/wiki/List_of_file_systems#Distributed_file_systems

slm
  • 7,355
  • 16
  • 54
  • 72
mgabriel
  • 1,091
  • 8
  • 15