Re: Secondary passwords - like Google's application specific passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

please, does anybyody any idea how to implement this with 389?

Thanks

Jan

On 11/04/2013 07:40 PM, Jan Tomasek wrote:

Hi,

my question about PAM, libscript... come from my idea: I would like to
implement secondary passwords in very similar way like Google's
application specific passwords works. [1]

We are using LDAP for centralized user management. Systems providing
services to users are verified against this LDAP. Users are saving those
passwords within mail clients, in workstation, in tablet, ... we would
like to provide option to users to not store their main password within
their clients. We would like to offer them alternative passwords working
for email, calendar client and so on on specific device. In case of
compromising one of devices - user will have only to revoke password for
that device.

In short. I want to users offer possibility to generate secondary
passwords working for email, and so on. I expect them to create multiple
passwords marked with some nickname, like:
   phone-email
   tablet-email
   phone-calendar
and so on. Those passwords should work with standard LDAP bind but not
necessarily on the same suffix and/or where primary LDAP is. We would
like to split primary LDAP passwors used for financial and high trust
applications from those serving email and calendar.

How to do something like this with 389 DS?

My idea is this:

uid=semik,dc=neco
objectClass: inetOrgPerson
cn: Jan Tomasek
sn: Tomasek
uid: semik
userPassword: {SSHA}...

dc=12345,uid=semik,dc=neco
objectClass: appPassword
dc: 12345
password: some-generated-password1
passwordLabel: phone-email

dc=12395,uid=semik,dc=neco
objectClass: appPassword
dc: 12395
password: some-generated-password2
passwordLabel: tablet-email

dc=12399,uid=semik,dc=neco
objectClass: appPassword
dc: 12399
password: some-generated-password3
passwordLabel: phone-calendar


I tried to implement this as PAM Pass through authentication. It works
but it is very fragile.

I'm looking for more robust and faster way. I know it is possible to do
this with PreOperation Plugin but maybe there is some easier way. Or
maybe already someone implemented such plugin.

Any comments? Ideas?


Thanks

[1] https://support.google.com/accounts/answer/185833

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux