Authentication via Userstore for Linux/Unix systems - repost


I have a scenario I would like to present that I find hard implementing on privacyIDEA.

I am using SQL resolver and I would like to authenticate users logging into Linux servers using the userstore and this means storing passwords on the SQL resolver.

However, the challenge comes in when you have multiple Linux servers with different passwords under one username. You cannot store multiple passwords under the same username on SQL resolver.

Another option would be using tokenpin to authenticate logins to these servers but I find it tedious.

What I am asking is how I can be able to authenticate login to the Linux servers using userstore despite the servers having different passwords set on the servers for one username?

And if there is no way, is it a feature that can be possibly added because I think it would be of great help.

What is the reason for having different passwords? Where do human beings that use the same username on different machines currently manage the different passwords?

This is tedious. But managing a matrix with several hostnames (for the linux servers) and different passwords for each hostname is always a tedious task. So how would you like to manage these different passwords?

How are you currently managing different passwords in the userstore?

Note: privacyIDEA is not ment to do user management in userstores.

Thank you for your response.

Answer to question 1: I am sure for an environment where most of the servers are hosted on cloud, and the platform is linux many users tend to use different passwords for different servers. And I believe that adds security.

Answer to question 2: The scenario I can use is windows authentication. When you login to a windows workstation/server, once you key in your windows password, it prompts you for your PIN, then later key in the OTP value/PUSH. That’s what I want to achieve with authentication to linux machines. Whereby I can login to different servers using my linux password, PIN and OTP/Push regardless of having different password on each server.

Question 3: Currently for windows authentication, I am managing fine. But I am not able to manage the different passwords in the userstore when it comes to situations where we have different passwords for different servers. And for such situations I am using otppin=tokenpin while I would like to use either otppin=userstore or otppin=pin(which is not part of the list.

P.S. I understand sir that PrivacyIDEA is not meant to do user management in userstore, however I have seen different MFA tools having the capability to authenticate logins to different hosts despite the different passwords and I thought maybe there could be such a functionality in privacyIDEA that I may have missed.

I still don’t get it.

How many different users do you have on one server?
If you manage the user passwords on the servers why don’t you use the PAM stack, run the first authentication against the different local password and the second authentication (e.g. OTP) against privacyIDEA?

Simply use your PAM knowledge to achieve this.

Okay, thanks for this suggestion.

I think this could work.