Is there such a thing as a multi-user, hierarchical, arbiter-less,
pki-based
password manager? I'm thinking specifically for use in a system
administration
context where you have multiple sub groups and cross-group roles that
have
access to different sets of passwords.
* Users share one database, and can only view passwords that they are
authorized to access. Authorization is either per-user or per-group.
* Users and groups can be defined either statically, or perhaps
dynamically
looked up through external means like ldap, pam, etc.
* Passwords are organized in a tree/folder structure, and each node
(including
leaves, i.e. passwords) is associated with one or more users or
groups.
Optionally, a user with access to a node would have recursive access
to all
child nodes.
* There is no all-knowing arbiter that can read and write any entry in
the
database. Not having an arbiter will complicates things quite a bit.
* PKI is used so that a new password entry is associated with a list of
users
or groups, and is then encrypted with the target users' pubkeys. A
pubkey
lookup mechanism is needed.
* Preferably have a distributed system, managed by distributed revision
control. This precludes using filesystem semantics like permissions,
acls,
etc, and would instead require the use of a metadata index of sorts.
* Preferably make the system usable without having to rely on a
frontend:
Running 'gpg -d *' would decrypt files encrypted with your pubkey.
As far as I can tell, there exists no such thing -- possibly for very
good
reasons; see below. I've been thinking of how to implement this sort of
system, like so:
* Use one file per password, with a simple structure like:
<path> <access> [<name> <username> <password> <comment>], where
<path>: directory-style path to the entry, e.g. '/dns/resolver/res1'
<access>: user(s)/group(s) with access to the entry. This might have
to
include lookup details, such as ldap url or similar.
<name>: name of entry, e.g. 'root account'
Name, username, password and comment are optional, to facilitate the
creation of password-less branching nodes in the tree, solely for
indicating
user/group access (which then apply recursively).
* Files have inconspicuous names, for example created by hashing the
file
contents, random characters, or a serial number. Possibly add random
decoy
files to discourage traffic analysis. Possibly gather all files in
one tar
or zip archive, which is again encrypted with everyone's pubkeys.
Size is
not a concern.
* Creating a new entry would require inputting the user(s)/group(s)
that
should have access. This, together with the lookup/fetching of target
user
keys, is somewhat tricky.
* Using something like Git would make revision control easy. On the
other
hand, it would make it possible for revoked users to regain
information by
fetching old revisions. This might preclude revision control
altogether.
* Revoking access for users that either leave or switch groups, would
mean
having to re-encrypt all entries where the user had access (and
remove
entries where the user had sole access). Without an all-knowing
arbiter,
this could also easily be a showstopper.
* Having a simple curses-based interface would allow easy navigation of
the
tree, displaying only the entries that the user can access. A web
interface
would not work out, due to the use of pki. A standalone gui
application
could work, for the command line challenged.
Any thoughts on this, especially the showstoppers?
S.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
