[OT] Multi-user hierarchical password management via pki

Sven Ulland sveniu at ifi.uio.no
Fri Jul 27 13:46:02 CEST 2012 

 Is there such a thing as a multi-user, hierarchical, arbiter-less, 
 pki-based
 password manager? I'm thinking specifically for use in a system 
 administration
 context where you have multiple sub groups and cross-group roles that 
 have
 access to different sets of passwords.

 * Users share one database, and can only view passwords that they are
   authorized to access. Authorization is either per-user or per-group.

 * Users and groups can be defined either statically, or perhaps 
 dynamically
   looked up through external means like ldap, pam, etc.

 * Passwords are organized in a tree/folder structure, and each node 
 (including
   leaves, i.e. passwords) is associated with one or more users or 
 groups.
   Optionally, a user with access to a node would have recursive access 
 to all
   child nodes.

 * There is no all-knowing arbiter that can read and write any entry in 
 the
   database. Not having an arbiter will complicates things quite a bit.

 * PKI is used so that a new password entry is associated with a list of 
 users
   or groups, and is then encrypted with the target users' pubkeys. A 
 pubkey
   lookup mechanism is needed.

 * Preferably have a distributed system, managed by distributed revision
   control. This precludes using filesystem semantics like permissions, 
 acls,
   etc, and would instead require the use of a metadata index of sorts.

 * Preferably make the system usable without having to rely on a 
 frontend:
   Running 'gpg -d *' would decrypt files encrypted with your pubkey.

 As far as I can tell, there exists no such thing -- possibly for very 
 good
 reasons; see below. I've been thinking of how to implement this sort of
 system, like so:

 * Use one file per password, with a simple structure like:
   <path> <access> [<name> <username> <password> <comment>], where
   <path>: directory-style path to the entry, e.g. '/dns/resolver/res1'
   <access>: user(s)/group(s) with access to the entry. This might have 
 to
     include lookup details, such as ldap url or similar.
   <name>: name of entry, e.g. 'root account'

   Name, username, password and comment are optional, to facilitate the
   creation of password-less branching nodes in the tree, solely for 
 indicating
   user/group access (which then apply recursively).

 * Files have inconspicuous names, for example created by hashing the 
 file
   contents, random characters, or a serial number. Possibly add random 
 decoy
   files to discourage traffic analysis. Possibly gather all files in 
 one tar
   or zip archive, which is again encrypted with everyone's pubkeys. 
 Size is
   not a concern.

 * Creating a new entry would require inputting the user(s)/group(s) 
 that
   should have access. This, together with the lookup/fetching of target 
 user
   keys, is somewhat tricky.

 * Using something like Git would make revision control easy. On the 
 other
   hand, it would make it possible for revoked users to regain 
 information by
   fetching old revisions. This might preclude revision control 
 altogether.

 * Revoking access for users that either leave or switch groups, would 
 mean
   having to re-encrypt all entries where the user had access (and 
 remove
   entries where the user had sole access). Without an all-knowing 
 arbiter,
   this could also easily be a showstopper.

 * Having a simple curses-based interface would allow easy navigation of 
 the
   tree, displaying only the entries that the user can access. A web 
 interface
   would not work out, due to the use of pki. A standalone gui 
 application
   could work, for the command line challenged.

 Any thoughts on this, especially the showstoppers?

 S.

More information about the Gnupg-users mailing list