MacResearch

In 'Showcase' reviews, the reviewer is the developer. No claim of objectivity is made, but it’s a chance for the developer to show off his/her app. Here, MacResearcher, David Gohara talks about Tator, a program for remotely changing and managing passwords on Unix and Unix-like systems.

I thought I'd use Showcase to let people know about an application I've been working on and using here to make password changing and management a bit easier. We all know that as part of a good security model, we should change our passwords from time to time. For IT folks, this is especially important on managed systems, or simply out of necessity due to computer break-ins or turnover of personnel. One barrier to regularly rotating passwords is the amount of time and coordination it takes in medium to large environments. And given all of the regular responsibilities we all have, password changes are often the last thing to be considered.

Tator is designed to simplify this process by providing a means to manage, generate and remotely change passwords on managed systems. Tator is trivial to setup and can be used to manage passwords on any system that supports login via SSH. Some of the features include:

Password rotation
Batch setting of passwords
Support for computer groups and individual systems
Password auto-generation
Password viewing and printing (for sharing among other IT managers)
128-bit AES encryption of stored passwords (via Apple’s Security Framework)

On the operators system Tator requires Mac OS X Leopard.
On the client side, any system that has SSH running can (in theory) be managed with Tator

How Tator Works

There is really no magic in how Tator works. Tator uses SSH to remotely log into a system issue a few change password commands via 'expect' and then updates the user interface.

Under the hood, Tator uses 128-bit AES encryption provided via Apple's Security framework to encrypt/decrypt passwords. When stored on disk, all passwords are encrypted. In fact passwords are only decrypted when they are accessed by the Core Data machinery.

Interface

Computers can be assigned to logical groups which could be computer labs or nodes in a cluster. Each system associated with that group has its own properties and preferences.

Inspector Views

The Inspector allows you to adjust properties of an individual system:

Or multiple systems within a group:

There are additional values you can modify depending on your setup, including the default SSH port to use, system location and notes and a log of the last update attempt and time.

Viewing Passwords

By default passwords are not shown in the clear. It's easy to enable password display in the clear, however. This can be useful to make sure you are typing in a new password correctly or to view passwords that have been automatically generated.

Once you supply the encryption/decryption password, Tator will display passwords in the clear until you tell it not to, or until 120 seconds of time has expired (whichever comes first). Passwords are displayed in both the main window and the inspector.

Password Generation

Tator will also generate passwords for you if you aren't in a terribly creative mood. The password generation algorithm is simple, but should suffice for most purposes (or at least serve as a starting point).

You can generate passwords for the selected system or systems in the main interface, for all systems in a group or all systems in the entire collection of groups, currently. You can also specify if passwords should be uniquely assigned to each system or assigned to all of the systems.

Status

Tator will also let you know the status of the system and password changes in the status column of the main window (first column in the computer listing pane).

A check mark means that Tator has successfully connected to and changed the password of a system as of the last update. A rotate sign means a new password has been assigned but hasn't been "rotated" for the old one. And a rotate sign with a red X over it means some error occurred during the last update. Typically these are connection errors. You can inspect the log for that system in the inspector for clues as to what may have happened.

Printing

Once authenticated to view passwords in the clear, Tator will also allow you to print a list off all of the systems and corresponding passwords. This can be useful if you need to store a copy of passwords in a safe location for an emergencies or to distribute to other IT managers in your group.

Tator also comes with a modest help file and an FAQ.

Summary

Currently I'm calling Tator an alpha release, since it's not really feature complete, although the functionality that is enabled has been stable in testing. I'll be adding improvements to the program as time permits and of course I welcome any productive comments, feature requests and bug reports.

Once the code is more refined I plan to release the source.

Tator can be downloaded from my site here.