one token for multiple users?
26 views
Skip to first unread message
Björn Rafreider
Jun 2, 2016, 6:04:13 AM6/2/16
to privacyidea
The "Manage two factor authentication in your server farm easily" tutorial is really a great approach for server management and I'm currntly thinking about going a step further:
we are using ISPConfig for Server management, users are stored in mysql, the sqlresolver against the shell_user table works like a charm.
The shell_users from ispconfig are mainly used by our internal people to access the web files by ssh. Doing authentication through privacyidea would add a central audit layer to the system that even shows the real user (or token) who accessed what shell user.
unfortunately every token can only be assigned to one shell user. For my scenario, it would be great to be able, to have one token for each employee and assign it to multiple users in privacyidea.
Is there a way to do this, or would there be a security impact that I have overseen?
Cheers,
Björn
Cornelius Kölbel
Jun 2, 2016, 6:32:34 AM6/2/16
to priva...@googlegroups.com
Hi Björn,
in fact this is possible, indirectly.
I also thought about switching to an n:m relation between users and
tokens, but I guess this will change a lot. And this scenario is not
that common.
So, assume your employee has an employee account in privacyIDEA.
You can assign the token to this employee. The human being now own this
token.
Now you have a lot of shell_users. I assume, you might have a shell user
"root", which of course is no employee, but you have employees Meier,
Schmidt, Kunze, who can be root.
So you assign "remote tokens" to the user "root".
http://privacyidea.readthedocs.io/en/latest/configuration/tokens/remote.html?highlight=remote
A remote token is a virtual token that forwards the authentication
request to another user or token on another privacyIDEA system.
You can also forward the authentication request to another token on the
same privacyIDEA system!
So you assign remote tokens to the user "root":
1. remote token to the token of user "meier"
2. remote token to the token of user "schmidt"
3. remote token to the token of user "kunze"
But you can also not only forward to the token but also to the user.
So you could assign remote tokens to the user "root" like
1. remote token forwards to user "meier"
2. remote token forwards to user "schmidt"
3. remote token forwards to uses "kunze"
The difference is that in the first case "meier" can only authenticate
as "root" with this one very token.
In the second case "meier" can authenticate as "root" with whichever
token he possesses.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/5172f33c-efe2-4cb6-9e18-4c03f2af166b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
in fact this is possible, indirectly.
I also thought about switching to an n:m relation between users and
tokens, but I guess this will change a lot. And this scenario is not
that common.
So, assume your employee has an employee account in privacyIDEA.
You can assign the token to this employee. The human being now own this
token.
Now you have a lot of shell_users. I assume, you might have a shell user
"root", which of course is no employee, but you have employees Meier,
Schmidt, Kunze, who can be root.
So you assign "remote tokens" to the user "root".
http://privacyidea.readthedocs.io/en/latest/configuration/tokens/remote.html?highlight=remote
A remote token is a virtual token that forwards the authentication
request to another user or token on another privacyIDEA system.
You can also forward the authentication request to another token on the
same privacyIDEA system!
So you assign remote tokens to the user "root":
1. remote token to the token of user "meier"
2. remote token to the token of user "schmidt"
3. remote token to the token of user "kunze"
But you can also not only forward to the token but also to the user.
So you could assign remote tokens to the user "root" like
1. remote token forwards to user "meier"
2. remote token forwards to user "schmidt"
3. remote token forwards to uses "kunze"
The difference is that in the first case "meier" can only authenticate
as "root" with this one very token.
In the second case "meier" can authenticate as "root" with whichever
token he possesses.
Kind regards
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/5172f33c-efe2-4cb6-9e18-4c03f2af166b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Reply all
Reply to author
Forward
0 new messages