Lead Image © Marqs, photocase.com

Lead Image © Marqs, photocase.com

Password management with FreeIPA

Safely Stored

Article from ADMIN 37/2017
By
Passwords should be safe, but easy to remember – a contradiction that can be difficult to resolve. One remedy is a password manager that stores all passwords centrally. The open source tip this month shows a different approach: FreeIPA.

Passwords need to be long, contain as many characters as possible, and use special characters and numbers. If you do this, then your password is secure, but unfortunately very hard to remember. Consequently, there are a variety of tools that let you deposit hard-to-remember passwords in a type of safe. The safe in turn is protected by a master password, and the passwords it contains are only released if you enter the password correctly. However, the user is then usually given access to the complete inventory of the safe. In the open source world, the KeePass [1] tool is a well-known candidate for this job.

Key Recovery Agent

Key Recovery Agents (KRAs) offer a different type of password safe. They are often part of a larger identity management solution, offering both users and services different forms of password safes – known as password vaults [2]. These are then available not only locally on a client, but throughout the network. The idea is that lost private user keys can be restored, since a copy is deposited in the password safe.

Version 4.2 or newer of the FreeIPA Identity Management framework also features password vaults, where you can store all sorts of data safely. When the data are stored, they are encrypted with a session key. If necessary, this is encoded with another symmetric or asymmetric key. The result is a package consisting of the actual secret (the data) and the keys used. Both together are encrypted again with the public key of the KRA instance and sent to the FreeIPA system, where the whole package is unpacked with the KRA instance's private key. The KRA instance thus gains access to the keys and the actual secret. The secret is again encoded with a storage key, before it is finally deposited on the LDAP back end. An escrow officer can gain access to a safe

...
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Credential management with HashiCorp Vault
    Admin teams can use secret sharing to centrally manage shared access to user accounts and services. HashiCorp Vault is one of the few tools that has proven effective when it comes to implementing this solution. Here's how to use this open source tool and keep important credentials safe.
  • Centralized Password Management

    Time and again, situations arise in which admins need access to a system they do not otherwise manage. But, do you want to hand over responsibility for password management to a centralized software? What capabilities must that software have?

  • Requirements for centralized password management
    Time and again, situations arise in which admins need access to a system they do not otherwise manage. But, do you want to hand over responsibility for password management to a centralized software? What capabilities must that software have?
  • Cloud protection with Windows Azure Backup
    Microsoft offers the Windows Azure Backup service, which lets you back up data from servers in the cloud. This removes the need for your own infrastructure, and the service alleviates privacy concerns by using continuous encryption.
  • Integrating FreeIPA with Active Directory
    Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain.
comments powered by Disqus