19

Can anyone recommend a F/OSS enterprise password management solution on/around the same level as something like Cyber-Ark?

Specifically, something along the lines of a standard password manager, (like KeePass), but with the ability to login with ldap credentials and get access to passwords for your environment, specific to your duties--Synced between multiple locations and departments. It could be a Web Application with a backend database, or it could be multiple databases somehow synced between multiple locations, though a Web App would be preferable.

I have seen the post by Tok (accepted answer) on using Git to do it, but I wanted to see if there was anything specifically written for this type of need.

The enterprise environment is Windows & Linux.

Josh Brower
  • 1,377
  • 2
  • 13
  • 25
  • For which platform(s)? – Steve Feb 04 '11 at 01:28
  • Can you describe the requirements and features you're looking for more specifically? Passwords for what, used by who, etc. And (ala the faq) what sort of context or risk profile you have in mind? A link to Tok's post would also be handy. – nealmcb Feb 06 '11 at 04:48
  • You might also want to distinguish it from this related question: [Password Management within an Organisation](http://security.stackexchange.com/questions/754/password-management-within-an-organisation) – nealmcb Feb 06 '11 at 05:23
  • @nealmcb Tok's post is the selected answer to the question you just linked to. I didnt realize that I was not being clear when I said that the solution should be akin to Cyber-Ark. I'm not sure how else I can describe it--Some sort of Enterprise-quality password management solution... If you dont know what Cyber-Ark is, then think KeePass, but with the ability to login (with ldap credentials) and get access to passwords for your environment--Synced between multiple locations and departments. Does that help? – Josh Brower Feb 06 '11 at 05:37
  • 1
    I'm just suggesting that it would be a service to the folks you are asking for help, and attract more interest and answers, to edit all that and more in to the question. Links to product web pages are less helpful since they usually are full of unclear marketing junk, change over time, and it is unclear which aspects of that product address what your actual interests are. – nealmcb Feb 06 '11 at 16:18
  • @nealmcb, Makes sense. I will edit the question for more clarity later today. Thanks! – Josh Brower Feb 06 '11 at 18:11
  • The bounty ends soon. Any takers? – Josh Brower Feb 12 '11 at 16:46
  • @JoshBrower - did you get anywhere with this one? – Rory Alsop Feb 24 '11 at 14:21
  • No, nothing so far. I guess the bounty didnt get awarded to anyone. – Josh Brower Feb 24 '11 at 17:18

2 Answers2

4

A large enterprise can't use a password manager like KeepPass, that would be a total nightmare. A more scalable password management solution is LDAP and Kerberos. Kerberos' highlights are that its very scalable and no matter how large you can disable access to a user across the entire system immediately, because authentication is centralized.

rook
  • 47,004
  • 10
  • 94
  • 182
  • 3
    @Rook, your answer claims that if a company is not using Kerberos then they are not really on top of their security. I disagree with that statement. – D.W. Mar 31 '11 at 07:03
  • @D.W. So then your problem with me is more than just flame. Also i stand by this. If you need some "password manager" for your enterprise then you messed up somewhere. [mod edit - no need for the foul language] – rook Mar 31 '11 at 07:10
  • @Rook - across my client base (a large percentage of the fortune 350) very few have Kerberos. I see it in certain departments, and in principle I like it (having used it from the very early days) but it is just one solution, and is not appropriate for every organisation. – Rory Alsop Mar 31 '11 at 08:18
  • @Rory Alsop♦ So then do these organizations that don't use kerberos use a password manager "like KeePass" for their entire enterprise? I hope the answer is NO, because that would be a nightmare. – rook Mar 31 '11 at 19:12
  • @Rook - god no! That would be a complete nightmare :-) – Rory Alsop Mar 31 '11 at 23:19
  • @Rory Alsop♦ Haha thats my point, I'll rewrite this post. – rook Apr 01 '11 at 00:20
  • @Rory Alsop♦, I'm just wondering, when you say very few companies across you client base don't use Kerberos, do some of them use it via Active Directory (which can work quite well as a KDC), without it being branded as Kerberos? – Bruno May 19 '11 at 13:37
  • @Bruno - most large companies do use Active Directory, but it is pretty much exclusively LDAP (the exceptions are usually large scale users of AIX) – Rory Alsop May 19 '11 at 19:38
0

i would like to try clipperz in our small office for all the websites that employees have to authenticate to in order to carry out their job.

clipperz.com is an open source web application with the intention of encrypting sensitive information using javascript before transmittal to the central server. Host it yourself or sign-up for their service. You may have to adapt it for your specific needs, not sure if it natively supports ldap or kerberos authentication. (i prefer kerberos because other machines or services do not need to be sent my password. With LDAP authentication, your password is sent out.)

Of course, the big vulnerablity is a "man-in-the-browser". Mitigate that vuln by setting up a separate instance of portable firefox that is more locked down and has a proxy configuration that blocks all websites except the internal clipperz webserver.

rjt
  • 284
  • 1
  • 5