Password Security In a Large Distributed Environment
Publication: Proceedings of the Second USENIX UNIX Security Workshop
Page(s): 17 - 30
Source 1: http://www.nas.nasa.gov/Groups/Security/papers/ps/passwd.security.ps
With the increased interest in, or rather need for, better security in UNIX computing environments, password security and control is one issue which must be addressed completely. In the past, when a single VAX 11/780 serving 30 users was the status quo, password security was simple in that a system administrator merely had to remember a few privileged passwords and ensure that all user accounts had passwords. However, in today’s large-scale environments where central support of 100 or more systems is common and with the availability of fast password cracking programs, password security has become a complex issue. Password security no longer involves just remembering the root password for a particular system or ensuring all accounts have passwords. It now involves the concept of using “smart” passwords, management of a large number of privileged passwords and a equally large number of people who need access to those passwords, and a much tighter control on who has access to the root and other privileged accounts.
This paper will examine the current methods used for password security and control at the Numerical Aerodynamic Simulation (NAS) facility at NASA-Ames Research Center. The NAS environment consists of over 170 systems running the UNIX operating system with the TCP/IP network protocol software which supports over 1000 users nationwide. On-going support and software development for NAS is provided by close to 150 personnel. Due to the large number of systems, users and support personnel, implementing password security and control at NAS has been a challenging task.
Some specific topics that will be discussed are: the concept of “special access” accounts; how password groups and levels of access are defined; the formal NAS policies concerning access to privileged accounts; how all the information regarding the numerous privileged passwords is tracked and recorded; and one alternative to providing the root password to everyone who needs root access.
Do you have additional information to contribute regarding this research paper? If so, please email firstname.lastname@example.org with the details.