sveniu at ifi
Jul 27, 2012, 4:46 AM
Post #1 of 4
Is there such a thing as a multi-user, hierarchical, arbiter-less,
[OT] Multi-user hierarchical password management via pki
password manager? I'm thinking specifically for use in a system
context where you have multiple sub groups and cross-group roles that
access to different sets of passwords.
* Users share one database, and can only view passwords that they are
authorized to access. Authorization is either per-user or per-group.
* Users and groups can be defined either statically, or perhaps
looked up through external means like ldap, pam, etc.
* Passwords are organized in a tree/folder structure, and each node
leaves, i.e. passwords) is associated with one or more users or
Optionally, a user with access to a node would have recursive access
* There is no all-knowing arbiter that can read and write any entry in
database. Not having an arbiter will complicates things quite a bit.
* PKI is used so that a new password entry is associated with a list of
or groups, and is then encrypted with the target users' pubkeys. A
lookup mechanism is needed.
* Preferably have a distributed system, managed by distributed revision
control. This precludes using filesystem semantics like permissions,
etc, and would instead require the use of a metadata index of sorts.
* Preferably make the system usable without having to rely on a
Running 'gpg -d *' would decrypt files encrypted with your pubkey.
As far as I can tell, there exists no such thing -- possibly for very
reasons; see below. I've been thinking of how to implement this sort of
system, like so:
* Use one file per password, with a simple structure like:
<path> <access> [<name> <username> <password> <comment>], where
<path>: directory-style path to the entry, e.g. '/dns/resolver/res1'
<access>: user(s)/group(s) with access to the entry. This might have
include lookup details, such as ldap url or similar.
<name>: name of entry, e.g. 'root account'
Name, username, password and comment are optional, to facilitate the
creation of password-less branching nodes in the tree, solely for
user/group access (which then apply recursively).
* Files have inconspicuous names, for example created by hashing the
contents, random characters, or a serial number. Possibly add random
files to discourage traffic analysis. Possibly gather all files in
or zip archive, which is again encrypted with everyone's pubkeys.
not a concern.
* Creating a new entry would require inputting the user(s)/group(s)
should have access. This, together with the lookup/fetching of target
keys, is somewhat tricky.
* Using something like Git would make revision control easy. On the
hand, it would make it possible for revoked users to regain
fetching old revisions. This might preclude revision control
* Revoking access for users that either leave or switch groups, would
having to re-encrypt all entries where the user had access (and
entries where the user had sole access). Without an all-knowing
this could also easily be a showstopper.
* Having a simple curses-based interface would allow easy navigation of
tree, displaying only the entries that the user can access. A web
would not work out, due to the use of pki. A standalone gui
could work, for the command line challenged.
Any thoughts on this, especially the showstoppers?
Gnupg-users mailing list
Gnupg-users [at] gnupg