This is not a technical question. How do small organizations keep sensitive information that must be shared among several individuals safe, such as root passwords to production servers? Not all people that need to have access work in the same location.. new passwords can be distributed by phone, but what rules should be enforced for team members in the storing of the passwords?
这不是技术问题。小型组织如何保持必须在几个人之间共享的敏感信息,例如生产服务器的root密码?并非所有需要访问的人都在同一个位置工作..新密码可以通过电话分发,但是在存储密码时应该对团队成员强制执行哪些规则?
UPDATE: this question is not about the proper usage of root passwords -- that was just meant as an example. Maybe a better example would be the SSL passphrase or any other password that must be shared among people performing administrative tasks. The fact is, root passwords and the like need to be generated and stored and usually more than one person needs to have access, sometimes those people work in different locations. The question is about storage protocols. Thanks.
更新:这个问题与root密码的正确使用无关 - 这只是一个例子。也许更好的例子是SSL密码或必须在执行管理任务的人之间共享的任何其他密码。事实上,需要生成和存储根密码等,并且通常不止一个人需要访问,有时这些人在不同的位置工作。问题是关于存储协议。谢谢。
6 个解决方案
#1
I personally recommend to people facing similar problems to use something like keepass or roboform to store passwords. These programs encrypt your passwords on a thumbdrive using a master password that the individual remembers, so that they need only remember the master password. In the event that someone looses their thumbdrive, they will have a window of time in which they can report the compromised thumbdrive, and allow you to change passwords. It will take a little bit of time, depending on the master password's strength, before the person who stole the thumb drive would be able to brute force the master password to get at all the other stored passwords.
我个人建议那些面临类似问题的人使用keepass或roboform来存储密码。这些程序使用个人记住的主密码在thumbdrive上加密您的密码,这样他们只需要记住主密码。如果某人丢失了他们的拇指驱动器,他们将有一个时间窗口,他们可以报告受损的拇指驱动器,并允许您更改密码。在窃取拇指驱动器的人能够强制使用主密码来获取所有其他存储的密码之前,这需要一点时间,具体取决于主密码的强度。
Additionally, avoid having any account shared by more than 3 people, if at all! Instead, consider creating each individual an account with equivalent access. If a malicious employee has access to an account which they know is shared, it might be more tempting for them to do malicious things since they know you could not hold them accountable, since it could have been any of several people sharing the account.
此外,如果有的话,请避免超过3人共享任何帐户!相反,请考虑为每个人创建具有同等访问权限的帐户。如果恶意员工可以访问他们知道共享的帐户,那么他们可能更容易做恶意事情,因为他们知道您不能让他们负责,因为它可能是共享该帐户的几个人中的任何一个。
This also means you don't have to change the password every time someone quits. Instead, you just disable/delete their account. So although you have more accounts to manage, you have less overhead when someone leaves since you don't have to notify everyone of a changed password.
这也意味着每次有人退出时都不必更改密码。相反,您只需禁用/删除其帐户即可。因此,虽然您需要管理更多帐户,但是当有人离开时您可以减少开销,因为您不必通知每个人更改密码。
Edit: Oh Roboform also has a online password sync service over SSL. So you could just have people retrieve passwords via syncing. It's kinda cool once you get used to it.
编辑:哦,Roboform还有一个通过SSL的在线密码同步服务。所以你可以让人们通过同步来检索密码。一旦你习惯它,它有点酷。
#2
You shouldn't be handing out (or using) root passwords to any servers, production or otherwise. You shouldn't be sharing passwords.
您不应该将root密码分发(或使用)到任何服务器,生产或其他方式。你不应该共享密码。
People should log in as themselves (authentication) with their own user ids passwords; that's one half of the picture.
人们应该使用自己的用户ID密码以自己的身份登录(身份验证);这是图片的一半。
When properly logged in they should be given rights (the authorization side of the picture) as appropriate. You can use things like sudo
for general OS purposes, and the rights mechanisms inside databases, etc.
正确登录后,应视情况给予权限(图片的授权方)。您可以使用sudo之类的东西来实现一般操作系统,以及数据库中的权限机制等。
These are two separate issues. Don't cross the streams!
这是两个不同的问题。不要越过溪流!
#3
With the advent of sudo
we seldom need to use a root password any more. In my old shop, the root password was written on a card, sealed in an envelope, and locked in a drawer in the sysadmins' area. Those who needed to know had keys to the drawer.
随着sudo的出现,我们不再需要使用root密码了。在我的旧店里,根密码写在一张卡片上,密封在一个信封里,并锁在系统管理员区域的抽屉里。那些需要知道的人有抽屉的钥匙。
Anybody opening the envelope was required to change the password and put the new password in a new sealed envelope. The envelope was not opened often.
打开信封的任何人都需要更改密码并将新密码放入新的密封信封中。信封没有经常打开。
This system is probably really bad professional practice, but in a small shop where everybody knew everybody, it worked well.
这个系统可能是非常糟糕的专业实践,但在一个每个人都认识每个人的小商店里,它运作良好。
#4
In a prototype & R&D lab where I formerly worked, there were 'standard' lab passwords for things like root, administrative access to consoles, switches, etc. These are simple, easy to remember, and shared verbally with anyone who needed them. In general, if you could physically get into the lab, you were authorized to have these passwords.
在我以前工作过的原型和研发实验室中,有一些“标准”实验室密码,例如root,管理员访问控制台,交换机等。这些都很简单,易于记忆,并且与需要它们的任何人口头共享。一般情况下,如果您可以实际进入实验室,则您被授权拥有这些密码。
In the manufacturing facility, new systems were built and configured for customers. The customer got to choose all the passwords, and they were printed on a set of forms that were attached to the rack with the systems. Remote access was provided as required, and the passwords were sent in an e-mail, or given over the phone. It was fully expected that the customer would change these passwords as soon as the system was delivered to them.
在制造工厂中,为客户构建和配置了新系统。客户必须选择所有密码,并将它们打印在一组与系统连接到机架上的表格上。根据需要提供远程访问,密码通过电子邮件发送,或通过电话发送。完全可以预期,一旦系统交付给客户,客户就会更改这些密码。
For the IT & Production labs, almost no one had root access. Almost everyone did have sudo access with somewhere between no limits and only the ability to mount virtual filesystems...depending on the person and the system. It was very rare to get sudo access to launch a shell as root. This left a very clear log trail of all the commands you ran as root. That log was used to tar & feather more than one person over the years.
对于IT和生产实验室,几乎没有人有root权限。几乎每个人都有sudo访问权限,介于无限制之间,只能安装虚拟文件系统......具体取决于人员和系统。获得以root身份启动shell的sudo访问权非常罕见。这为您以root身份运行的所有命令留下了非常清晰的日志记录。多年来,这个日志被用来焦油和羽毛多于一个人。
At a help desk / support role I had many years ago, each tool expert picked their own administrative passwords. These were recorded in an envelop that was locked in a safe in the machine room. If someone needed admin access, they could open the envelop, read the password, and note in the log that they knew the password and then re-seal the password in the envelop. It was up to the tool owner to decide if the password needed to be changed. This system was used for more than 5 years...and in one case actually helped the project to survive the "bus test" (heart attack) for one team member.
在我多年前的帮助台/支持角色中,每个工具专家都选择了自己的管理密码。这些被记录在一个被锁在机房保险柜中的信封中。如果有人需要管理员访问权限,他们可以打开信封,阅读密码,并在日志中记下他们知道密码,然后在信封中重新密封密码。由工具所有者决定是否需要更改密码。该系统使用了5年以上......在一个案例中实际上帮助该项目在一个团队成员的“公共汽车测试”(心脏病发作)中存活下来。
Different standards for different kinds of systems and labs. That is reasonable. I find that when passwords need to be shard, it is best if the password is simple, short, and communicated verbally (either in person or over the phone). I find that the only password that should never be shared is the one for my personal account. Any root/admin/tool specific passwords should be backed up in at least one other head...if not recorded in some manner.
不同类型的系统和实验室的不同标准。这是合理的。我发现当密码需要分片时,最好是密码简单,简短,并且口头传达(亲自或通过电话)。我发现唯一不应该共享的密码是我个人帐户的密码。任何root / admin / tool特定密码都应至少在另一个头上备份...如果没有以某种方式记录。
#5
you can use a program like anypasswordpro to share passwords. It is encrypted and has levels of access :)
你可以使用像anypasswordpro这样的程序来共享密码。它是加密的,具有访问级别:)
#6
Be realistic. Whether you like it or not, people in small teams are going to write passwords on sticky notes, IM them, or be tempted to email them, especially when they perceive no threat.
现实点。无论你喜欢与否,小团队中的人都会在便利贴上写密码,给他们写信,或者想要给他们发电子邮件,特别是当他们认为没有威胁时。
One measure I've found useful with small groups is to establish an obfuscation protocol.
我发现对小组有用的一个措施是建立一个混淆协议。
For example, all passwords communicated or stored via voicemail, email, IM, or paper will have 1) the order of their characters reversed 2) a random character or word placed in between each password character 3) phonetically pronounced password characters.
例如,通过语音邮件,电子邮件,即时消息或纸张传送或存储的所有密码将具有1)其字符的顺序颠倒2)在每个密码字符之间放置的随机字符或单词3)发音密码字符。
For example:
Password: VMaccp@ss1
Obfuscated: one 2 es df es 23 at sd pee fd see dfs see fxz ay df EM sd VEE
混淆:在sd pee fd看到一个2 es df es 23看dfs看到fxz ay df EM sd VEE
The key is to establish some kind of encoding that is virtually impossible for someone to figure out without knowing the protocol, which is easy to remember.
关键是要建立某种编码,这种编码几乎不可能让某人在不知道协议的情况下弄清楚,这很容易记住。
Keep in mind this is for small groups without life-or-death security. Obviously for larger groups or those protecting extremely sensitive financial data stronger more cumbersome measures are appropriate.
请记住,这适用于没有生死安全的小团体。显然,对于较大的群体或那些保护极其敏感的金融数据的群体而言,更为繁琐的措施更为合适。
#1
I personally recommend to people facing similar problems to use something like keepass or roboform to store passwords. These programs encrypt your passwords on a thumbdrive using a master password that the individual remembers, so that they need only remember the master password. In the event that someone looses their thumbdrive, they will have a window of time in which they can report the compromised thumbdrive, and allow you to change passwords. It will take a little bit of time, depending on the master password's strength, before the person who stole the thumb drive would be able to brute force the master password to get at all the other stored passwords.
我个人建议那些面临类似问题的人使用keepass或roboform来存储密码。这些程序使用个人记住的主密码在thumbdrive上加密您的密码,这样他们只需要记住主密码。如果某人丢失了他们的拇指驱动器,他们将有一个时间窗口,他们可以报告受损的拇指驱动器,并允许您更改密码。在窃取拇指驱动器的人能够强制使用主密码来获取所有其他存储的密码之前,这需要一点时间,具体取决于主密码的强度。
Additionally, avoid having any account shared by more than 3 people, if at all! Instead, consider creating each individual an account with equivalent access. If a malicious employee has access to an account which they know is shared, it might be more tempting for them to do malicious things since they know you could not hold them accountable, since it could have been any of several people sharing the account.
此外,如果有的话,请避免超过3人共享任何帐户!相反,请考虑为每个人创建具有同等访问权限的帐户。如果恶意员工可以访问他们知道共享的帐户,那么他们可能更容易做恶意事情,因为他们知道您不能让他们负责,因为它可能是共享该帐户的几个人中的任何一个。
This also means you don't have to change the password every time someone quits. Instead, you just disable/delete their account. So although you have more accounts to manage, you have less overhead when someone leaves since you don't have to notify everyone of a changed password.
这也意味着每次有人退出时都不必更改密码。相反,您只需禁用/删除其帐户即可。因此,虽然您需要管理更多帐户,但是当有人离开时您可以减少开销,因为您不必通知每个人更改密码。
Edit: Oh Roboform also has a online password sync service over SSL. So you could just have people retrieve passwords via syncing. It's kinda cool once you get used to it.
编辑:哦,Roboform还有一个通过SSL的在线密码同步服务。所以你可以让人们通过同步来检索密码。一旦你习惯它,它有点酷。
#2
You shouldn't be handing out (or using) root passwords to any servers, production or otherwise. You shouldn't be sharing passwords.
您不应该将root密码分发(或使用)到任何服务器,生产或其他方式。你不应该共享密码。
People should log in as themselves (authentication) with their own user ids passwords; that's one half of the picture.
人们应该使用自己的用户ID密码以自己的身份登录(身份验证);这是图片的一半。
When properly logged in they should be given rights (the authorization side of the picture) as appropriate. You can use things like sudo
for general OS purposes, and the rights mechanisms inside databases, etc.
正确登录后,应视情况给予权限(图片的授权方)。您可以使用sudo之类的东西来实现一般操作系统,以及数据库中的权限机制等。
These are two separate issues. Don't cross the streams!
这是两个不同的问题。不要越过溪流!
#3
With the advent of sudo
we seldom need to use a root password any more. In my old shop, the root password was written on a card, sealed in an envelope, and locked in a drawer in the sysadmins' area. Those who needed to know had keys to the drawer.
随着sudo的出现,我们不再需要使用root密码了。在我的旧店里,根密码写在一张卡片上,密封在一个信封里,并锁在系统管理员区域的抽屉里。那些需要知道的人有抽屉的钥匙。
Anybody opening the envelope was required to change the password and put the new password in a new sealed envelope. The envelope was not opened often.
打开信封的任何人都需要更改密码并将新密码放入新的密封信封中。信封没有经常打开。
This system is probably really bad professional practice, but in a small shop where everybody knew everybody, it worked well.
这个系统可能是非常糟糕的专业实践,但在一个每个人都认识每个人的小商店里,它运作良好。
#4
In a prototype & R&D lab where I formerly worked, there were 'standard' lab passwords for things like root, administrative access to consoles, switches, etc. These are simple, easy to remember, and shared verbally with anyone who needed them. In general, if you could physically get into the lab, you were authorized to have these passwords.
在我以前工作过的原型和研发实验室中,有一些“标准”实验室密码,例如root,管理员访问控制台,交换机等。这些都很简单,易于记忆,并且与需要它们的任何人口头共享。一般情况下,如果您可以实际进入实验室,则您被授权拥有这些密码。
In the manufacturing facility, new systems were built and configured for customers. The customer got to choose all the passwords, and they were printed on a set of forms that were attached to the rack with the systems. Remote access was provided as required, and the passwords were sent in an e-mail, or given over the phone. It was fully expected that the customer would change these passwords as soon as the system was delivered to them.
在制造工厂中,为客户构建和配置了新系统。客户必须选择所有密码,并将它们打印在一组与系统连接到机架上的表格上。根据需要提供远程访问,密码通过电子邮件发送,或通过电话发送。完全可以预期,一旦系统交付给客户,客户就会更改这些密码。
For the IT & Production labs, almost no one had root access. Almost everyone did have sudo access with somewhere between no limits and only the ability to mount virtual filesystems...depending on the person and the system. It was very rare to get sudo access to launch a shell as root. This left a very clear log trail of all the commands you ran as root. That log was used to tar & feather more than one person over the years.
对于IT和生产实验室,几乎没有人有root权限。几乎每个人都有sudo访问权限,介于无限制之间,只能安装虚拟文件系统......具体取决于人员和系统。获得以root身份启动shell的sudo访问权非常罕见。这为您以root身份运行的所有命令留下了非常清晰的日志记录。多年来,这个日志被用来焦油和羽毛多于一个人。
At a help desk / support role I had many years ago, each tool expert picked their own administrative passwords. These were recorded in an envelop that was locked in a safe in the machine room. If someone needed admin access, they could open the envelop, read the password, and note in the log that they knew the password and then re-seal the password in the envelop. It was up to the tool owner to decide if the password needed to be changed. This system was used for more than 5 years...and in one case actually helped the project to survive the "bus test" (heart attack) for one team member.
在我多年前的帮助台/支持角色中,每个工具专家都选择了自己的管理密码。这些被记录在一个被锁在机房保险柜中的信封中。如果有人需要管理员访问权限,他们可以打开信封,阅读密码,并在日志中记下他们知道密码,然后在信封中重新密封密码。由工具所有者决定是否需要更改密码。该系统使用了5年以上......在一个案例中实际上帮助该项目在一个团队成员的“公共汽车测试”(心脏病发作)中存活下来。
Different standards for different kinds of systems and labs. That is reasonable. I find that when passwords need to be shard, it is best if the password is simple, short, and communicated verbally (either in person or over the phone). I find that the only password that should never be shared is the one for my personal account. Any root/admin/tool specific passwords should be backed up in at least one other head...if not recorded in some manner.
不同类型的系统和实验室的不同标准。这是合理的。我发现当密码需要分片时,最好是密码简单,简短,并且口头传达(亲自或通过电话)。我发现唯一不应该共享的密码是我个人帐户的密码。任何root / admin / tool特定密码都应至少在另一个头上备份...如果没有以某种方式记录。
#5
you can use a program like anypasswordpro to share passwords. It is encrypted and has levels of access :)
你可以使用像anypasswordpro这样的程序来共享密码。它是加密的,具有访问级别:)
#6
Be realistic. Whether you like it or not, people in small teams are going to write passwords on sticky notes, IM them, or be tempted to email them, especially when they perceive no threat.
现实点。无论你喜欢与否,小团队中的人都会在便利贴上写密码,给他们写信,或者想要给他们发电子邮件,特别是当他们认为没有威胁时。
One measure I've found useful with small groups is to establish an obfuscation protocol.
我发现对小组有用的一个措施是建立一个混淆协议。
For example, all passwords communicated or stored via voicemail, email, IM, or paper will have 1) the order of their characters reversed 2) a random character or word placed in between each password character 3) phonetically pronounced password characters.
例如,通过语音邮件,电子邮件,即时消息或纸张传送或存储的所有密码将具有1)其字符的顺序颠倒2)在每个密码字符之间放置的随机字符或单词3)发音密码字符。
For example:
Password: VMaccp@ss1
Obfuscated: one 2 es df es 23 at sd pee fd see dfs see fxz ay df EM sd VEE
混淆:在sd pee fd看到一个2 es df es 23看dfs看到fxz ay df EM sd VEE
The key is to establish some kind of encoding that is virtually impossible for someone to figure out without knowing the protocol, which is easy to remember.
关键是要建立某种编码,这种编码几乎不可能让某人在不知道协议的情况下弄清楚,这很容易记住。
Keep in mind this is for small groups without life-or-death security. Obviously for larger groups or those protecting extremely sensitive financial data stronger more cumbersome measures are appropriate.
请记住,这适用于没有生死安全的小团体。显然,对于较大的群体或那些保护极其敏感的金融数据的群体而言,更为繁琐的措施更为合适。