Choosing a password manager and getting the PHP Password Manager installed.

Nov 26, 2010 | Linux, Server administration, Technology | 1 comment

An update to this post detailing the KeePass password manager is available.

I have been searching for a decent password manager for ages. Ideally I’d love to be able to use Network password manager as from using that in work I know that it’s a really small and fast application that integrates with active directory easily and provides some really nice search functionality. I was looking for something that would accept authentication from multiple users and would also store license files. Network password manager is really the best option. The problem is, it’s far too expensive to justify the cost.

When I couldn’t find a decent installable application that I could access from any windows PC that will access passwords from a central location I started to look for web based applications. There are some great applications out there but none of them were secure enough or provided the right level of encryption. Passwords even if their just for websites are probably your most important asset when your online a lot.

After a bit of digging I found PHPPasswordManager. and USB password manager . I was almost willing to consider having to bring a pen drive everywhere with the USB password manager on it but knew that at some stage I wouldn’t have it with me when I needed it most. PHPPasswordManager seemed to be the best bet. It didn’t have everything I wanted but it was simple, lightweight and fast and it wouldn’t take all that long to get running.

In the end, I decided to go with PHP Password Manager as it encripts passwords before sending them to or from the server and the user interface is very clean. It required a bit of work though.

I have customized this web application extensively in a very short time so that the interface provides the information I want at the top, the help information at the end of every page is hidden and only shown if or when I want it and I’ve replaced some of the buttons such as configure and add with links to make it easier to jump to them very quickly.

Most importantly, after installing the PHPPasswordManager, I found that its authentication wasn’t as good as I thought it was going to be. When a user visited the url they could see all of the accounts that had passwords associated with them. This isn’t all that bad. With some cryptic names it could be hard to determine what systems the passwords were for and of course, the passwords can only be unlocked with the master password however this was still a concern. So, I have password protected the directory that this site is in and I only accept log ins from one account. These details are sent using Digest authentication to add more security.

The following summarises the steps I used to install PHPPasswordManager

  1. Download the .gz archive to your Linux box by visiting the URL:
    http://sourceforge.net/projects/phppassmanager/
  2. Extract the archive using
    Tar xzvf phppassmanager*
    when in the directory containing the downloaded file.
  3. Navigate to the install directory:
    Cd phppassmanager*/install
  4. Create the database:
    echo “create database passwordmanagement” | mysql -u username –password=password
    Replace the username and password with one with the required privlidges to add databases.
  5. Add the tables into the database:
    mysql -u username –password=password phppassmanager < tables.sql
    Again, replace the username and password.
  6. Using PHPMyadmin, create a new account and give it access to the database we have just created.
  7. Edit config.php and change the username, password and database to provide the information you have just added.

Create a new virtual directory for this. You can most likely past the following into /etc/apache2/sites-available/default

Alias /passwords “/home/web/phppassmanager/”

Options Indexes MultiViews FollowSymLinks
AllowOverride AuthConfig Order allow,deny
allow from all

Obviously, it goes without saying that you will need to change the paths etc in this to reflect the structure of your file system.
Now reload your Apache2 config.
/etc/init.d/apache2 reload
Navigate to yourdomain/passwords in your browser.
The password manager should be shown.

Now, lets harden the configuration a little bit.

  1. Within /home/web/phppassmanager or where ever you have left this directory, you will see a directory called install Rename this to TMPinstall. This can be deleted at a later date. Leave it there for the moment in case you need it in the upcoming days.
  2. Now, lets password protect the directory.
    htpasswd -c /etc/apache-passwords YourUsername
    Replace YourUsername with what ever name you want to log in with.
    You will be asked to enter your password twice.
  3. Enable the Auth_digest module:
    A2enmod auth_digest
  4. Restart Apache2.
    /etc/init.d/apache2 restart
  5. Use nano or your favourite text editor to create a .htaccess file:
    Nano /home/web/phppassmanager/.htaccess
    Remember to change the path to reflect your own set up.
  6. Paste the following lines. Take care to change the path to the password file and change the username as well.
    <
    AuthType Digest
    AuthName “Restricted Files”
    AuthUserFile /etc/apache2-passwords
    Require user YourUsername

That’s all there is too it.
Go to the configure button and start making groups.
Add passwords.
It’s all very easy after that.

This set up has a major limitation. It doesn’t allow for multi-user environments but for what I need right now, it will do… Just about.

1 Comment

  1. Jim Lynch

    Thank you for publishing this very instructive post. I found it very helpful.

    I’m installing on Ubuntu server 12.04 and found that the instructions didn’t completely work for me. First the password file is shown as /etc/apache-passwords and then it’s shown as /etc/apache2-passwords. They should be consistent. Obviously a typo.

    My version of Apache needs to use htdigest to generate the password file. This worked for me

    htdigest /etc/apache2-passwords “Restricted Files” (run as root)

    htpasswd creates a file that works well with Basic authenication but not Digest.

    I didn’t have to enable auth_digest, it was already enabled. I had to remove the
    Order allow,deny
    allow from all

    From the option list. I didn’t bother reconfiguring Apache to permit them.

    I also changed the Require to:

    Require valid-user

    To be more general in case I wanted to add someone else. The web site change the double quotes to something else so when I copied/pasted the .htaccess directives, apache balked. The characters are some sort of typesetting characters. Replacing them with the editor fixed that problem.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.