On Mar 5, 2013, at 8:29 AM, Adam Constabaris wrote:
> An option is to use a password management program (KeepassX is good because
> it is cross platform) to store the passwords on the shared drive, although
> of course you need to distribute the passphrase for it around.
So years ago, when I worked for a university, they wanted us to put all of the root passwords into an envelope, and give them to management to hold. (we were a Solaris shop, so there actually were root passwords on the boxes, but you had to connect from the console or su to be able to use 'em).
We managed to drag our heels on it, and management forgot about it*, but I had an idea ...
What if there were a way to store the passwords similar to the secret formula in Knight Rider?
Yes, I know, it's an obscure geeky reference, and probably dates me. The story went that the secret bullet-proof spray on coating wasn't held by any one person; there were three people who each knew part of the formula, and that any two of them had enough knowledge to make it.
For needing 2 of 3 people, the process is simple -- divide it up into 3 parts, and each person has a different missing bit. This doesn't work for 4 people, though (either needing 2 people, or 3 people to complete it).
You could probably do it for two or three classes of people (eg, you need 1 sysadmin + 1 manager to unlock it), but I'm not sure if there's some method to get an arbitrary "X of Y" people required to unlock.
If anyone has ideas, send 'em to be off-list. (If other people want the answer, I can aggregate / summarize the results, so I don't end up starting yet another inappropriate out-of-control thread)
Oh, and I was assuming that you'd be using PGP, using the public key to encrypt the passwords, so that anyone could insert / update a password into whatever drop box you had; it'd only be taking stuff out that would require multiple people to combine efforts.
* or at least, they didn't bring it up again while I was still employed there.