One token for multiple users?

The “Manage two factor authentication in your server farm easily” tutorial
is really a great approach for server management and I’m currntly thinking
about going a step further:
we are using ISPConfig for Server management, users are stored in mysql,
the sqlresolver against the shell_user table works like a charm.
The shell_users from ispconfig are mainly used by our internal people to
access the web files by ssh. Doing authentication through privacyidea would
add a central audit layer to the system that even shows the real user (or
token) who accessed what shell user.

unfortunately every token can only be assigned to one shell user. For my
scenario, it would be great to be able, to have one token for each employee
and assign it to multiple users in privacyidea.
Is there a way to do this, or would there be a security impact that I have
overseen?

Cheers,
Björn

Hi Björn,

in fact this is possible, indirectly.

I also thought about switching to an n:m relation between users and
tokens, but I guess this will change a lot. And this scenario is not
that common.

So, assume your employee has an employee account in privacyIDEA.
You can assign the token to this employee. The human being now own this
token.

Now you have a lot of shell_users. I assume, you might have a shell user
“root”, which of course is no employee, but you have employees Meier,
Schmidt, Kunze, who can be root.

So you assign “remote tokens” to the user “root”.
http://privacyidea.readthedocs.io/en/latest/configuration/tokens/remote.html?highlight=remote
A remote token is a virtual token that forwards the authentication
request to another user or token on another privacyIDEA system.
You can also forward the authentication request to another token on the
same privacyIDEA system!

So you assign remote tokens to the user “root”:

  1. remote token to the token of user “meier”
  2. remote token to the token of user “schmidt”
  3. remote token to the token of user “kunze”

But you can also not only forward to the token but also to the user.
So you could assign remote tokens to the user “root” like

  1. remote token forwards to user “meier”
  2. remote token forwards to user “schmidt”
  3. remote token forwards to uses “kunze”

The difference is that in the first case “meier” can only authenticate
as “root” with this one very token.
In the second case “meier” can authenticate as “root” with whichever
token he possesses.

Kind regards
CorneliusAm Donnerstag, den 02.06.2016, 03:04 -0700 schrieb Björn Rafreider:

The “Manage two factor authentication in your server farm easily”
tutorial is really a great approach for server management and I’m
currntly thinking about going a step further:
we are using ISPConfig for Server management, users are stored in
mysql, the sqlresolver against the shell_user table works like a
charm.
The shell_users from ispconfig are mainly used by our internal people
to access the web files by ssh. Doing authentication through
privacyidea would add a central audit layer to the system that even
shows the real user (or token) who accessed what shell user.

unfortunately every token can only be assigned to one shell user. For
my scenario, it would be great to be able, to have one token for each
employee and assign it to multiple users in privacyidea.
Is there a way to do this, or would there be a security impact that I
have overseen?

Cheers,
Björn


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5172f33c-efe2-4cb6-9e18-4c03f2af166b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)