Using the OSU Secret Server for Shared / Research Lab Accounts

Overview

Initially, any shared or service accounts my be set up with a ticket to Infrastructure.

To securely keep shared account passwords, OSU stores them in PAM, for Privileged Access Management.

The PAM Console, at https://pam.osu.edu, can store all manner of passwords and push them to computers, providing a central store where group members can manage, change, and retrieve passwords. PAM will also remind owners when passwords need to be rotated.

Contents

When to Use a Shared Account

Shared accounts can be requested via an exception process.  If you need a shared account, reach out to ASCTech and we'll start the process.

Cases like an instrument that multiple people need to use one account may require shared accounts. Some useful information to provide with any request include:

  • name.# of each person who will have access to the password contents in PAM (View)
  • name.# for each person who will be able to update the password (Edit)
  • It may be helpful, as the support manager, to include yourself in one of the lists above to support your customer, please confirm if your name.# should be included.
  • A list of the specific assets where the account may be used to login.
  • Passwords expire and need to be changed, 180 days for non-admin accounts, 90 days for administrative accounts. By default these will rotate to a new, random password if they expire which can then be retrieved from PAM. If you would prefer for the account to be disabled at expiration, with no automatic rotation, let us know.
  • Shared accounts are generally named asc-shr-<project or research ID>, if you have an appropriate and useful name in mind, ideally 20 characters or less, please include that as well.

Tips

Certain things must be true for a successful password change.

  • Always use the "Change Password Now" option and do not close the browser until PAM confirms a successful change.
  • Shared accounts must have a minimum length of 15 characters, and 3 of 4: upper case, lower case, number, symbol.
  • PAM enforces this complexity, but on the back end it will fail if some more password hygiene is not followed. For example:
    • Don't use par of the account username or any name.#.
    • Don't repeat characters in a row.
    • Don't use many dictionary words.
  • PAM will also keep a history of previously used passwords.
  • You can always have PAM create a random password.
    • This may help with testing.

Changing or Retrieving the Password

 

Log into the Secret Server: http://pam.osu.edu/

Duo Push for 2FA

Go to All Secrets

Search on a likely string, such as your PI's name. Click on the star to highlight for future reference.

Show the current password.

Change the password.

The Secret Server will guide you on complexity rules when changing the password. Uploaded Image (Thumbnail)
You can also tell the Secret Server to send you an email confirmation when a password is changed.