I recently chose
Syspass to use as a repository for storing passwords. Since there is
something of a dearth of in-depth reviews of Open-Source software, I
thought I should redress that imbalance by explaining why here.
The Problem
From 2017-2018 I was
working as a CyberArk administrator. CyberArk is a privileged access
management tool – it stores passwords, implements password
management (verifying, rotating, generating, synchronizing) and
allows users to access to a session without having access to the
password. It also provides reporting on state and usage.
CyberArk is really
well designed and put together.
But it is very
expensive.
When I started a new
job with a different employer in 2018, pretty much the only handover
I got was a spreadsheet full of passwords. As you might imagine,
there were a lot of things higher on my priority list to get the
datacenter under control than where passwords were stored. But
eventually it came back to the top of my list.
The Requirements
Users
We've gone from 1
admin person to 3 in a very short time – but I don't expect the
team to expand much more. However I was keen to have a platform which
could be shared securely with the development teams and potentially
the wider business. That implied a user-interface – meaning not
just some GUI front end, but a multi-user authentication and
authorization capability.
Password Management
With several hundred
hosts, the propsect of using unique passwords or ever changing them
seems to have been too much of a challenge for my predecessors. A
critical requirement was that the new system support some means of
changing passwords. Having seen from my work with CyberArk that this
is not quite as simple as it sounds, the requirement here was that
the system provide a usable API for retrieving, verifying and
updating passwords.
Secret Management
In 2020, passwords
are not the only secrets that need to be stored/deployed securely –
there are also access tokens and encryption keys.
Security CIA
Confidentiality,
Integrity and Availability are the magic properties of Security. A
password manager contains your security cron-jewels and so should be
subject to very exacting standards of these attributes.
Confidentiality entails a robust mechanism for encrypting and
protecting data. Integrity is partially addressed by the Password
Management requirements above, but along with Availaiblity requires a
backup/restore mechanism in place which works when the rest of your
infrastructure is severely impaired. 2020 has seen major outages on
AWS, Google and Azure – outsourcing that responsibility is not a
realistic option.
The Products
Some of the products
I looked at in my search were Passbolt, Lastpass, Bitwarden (inc
Bitwarden RS), Hashicorp Vault, TeamPass, Passit, GoPass.
An honourable
mention here goes to Hashicorp Vault – it is all about the API and
machine-to-machine communication. Indeed, the base distribution only
has a CLI for user interaction. While there are web front ends, these
only expose limited functionality and are geared more towards data
maintenance than providing humans with access to secrets. It is also
notable for quorum based master key injection at system start-up.
I found the others
to be very lacking in their encryption, management of the master key
(where one was used) or the functionality/documentation of their
APIs.
While Bitwarden has
a good user interface (including browser plugins for web application
authentication) the API is poorly documented and the authentication
process is byzantinely complicated.
Syspass
This runs on my
favourite platform: Linux, PHP and MySQL.
Notable features
The web front end
allows a single click to copy data to the clipboard (something
CyberArk struggles with out of the box).
It not only provides
a web-pased API but also publishes data on how to augment thebehaviour of the server with plugins.
It can provide user
authentication via its native user database or via LDAP (including MS
Active Directory). Since the user's password is also the decryption
key for the user's copy of the master password, that entails a
resynchronization process if the password is changed – that is
catered for by the use of a temporary, time-limited token. However I
have not yet got LDAP integration working with my ancient and
somewhat misconfigured OpenLDAP service.
It provides 2 factor
authentication.
Missing
If I were designing
a password manager myself, I would definitely be building it as a
PHAR to take advantage of the code signing mechanisms available to
PHP. Syspass is not available as a PHAR, and would need significant
reworking to package it as such (the install process writes the
config to PHP code files). But in fairness I have not come across any
password manager available as a PHAR.
Although it has a
browser plugin, I've yet to get this working as intended. Also the
plugin relies on the API authentication mechanism – which seems
cumbersome (see below). On both Chrome (v87) and Firefox (v84) it
refuses to save the configuration.
While the web
interface uses Ajax (with JSON resonses) extensively to interact with
the server, it uses a different end-point than the the documented
API.
The documented API
is intended for machine-to-machine communication. It uses a simple
system of access tokens (although there is mention of HTTP Basic
authentication in the manual –
https://syspass-doc.readthedocs.io/en/3.0/application/authorization.html).
However rather than creating a machine account, it is necessary to
provision individual permissions which are aggregated by an account
name and a password. Managing a complex system with a lot of clients
will be difficult.
Project status
As yet, I'm not completely committed to Syspass, and it still needs a lot of work before it will be ready for production. I have started looking at the Backup/DR model and think the best solution will be to export the data into an encrypted KeePass database. The first installment of the code for that is published on GitHub: https://github.com/symcbean/kpx-writer-php
I will be publishing further updates in the coming months.
Update
