in fact this is possible, indirectly.
I also thought about switching to an n:m relation between users and
tokens, but I guess this will change a lot. And this scenario is not
So, assume your employee has an employee account in privacyIDEA.
You can assign the token to this employee. The human being now own this
Now you have a lot of shell_users. I assume, you might have a shell user
“root”, which of course is no employee, but you have employees Meier,
Schmidt, Kunze, who can be root.
So you assign “remote tokens” to the user “root”.
A remote token is a virtual token that forwards the authentication
request to another user or token on another privacyIDEA system.
You can also forward the authentication request to another token on the
same privacyIDEA system!
So you assign remote tokens to the user “root”:
- remote token to the token of user “meier”
- remote token to the token of user “schmidt”
- remote token to the token of user “kunze”
But you can also not only forward to the token but also to the user.
So you could assign remote tokens to the user “root” like
- remote token forwards to user “meier”
- remote token forwards to user “schmidt”
- remote token forwards to uses “kunze”
The difference is that in the first case “meier” can only authenticate
as “root” with this one very token.
In the second case “meier” can authenticate as “root” with whichever
token he possesses.
CorneliusAm Donnerstag, den 02.06.2016, 03:04 -0700 schrieb Björn Rafreider:
The “Manage two factor authentication in your server farm easily”
tutorial is really a great approach for server management and I’m
currntly thinking about going a step further:
we are using ISPConfig for Server management, users are stored in
mysql, the sqlresolver against the shell_user table works like a
The shell_users from ispconfig are mainly used by our internal people
to access the web files by ssh. Doing authentication through
privacyidea would add a central audit layer to the system that even
shows the real user (or token) who accessed what shell user.
unfortunately every token can only be assigned to one shell user. For
my scenario, it would be great to be able, to have one token for each
employee and assign it to multiple users in privacyidea.
Is there a way to do this, or would there be a security impact that I
Please read the blog post about getting help
For professional services and consultancy regarding two factor
authentication please visit
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to firstname.lastname@example.org.
To post to this group, send email to email@example.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.
+49 151 2960 1417
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)