Závěrečná práce: Bc. Richard Kalinec: Application-specific passwords / Multiple passwords for one user in FreeIPA
Diplomová práce
Application-specific passwords / Multiple passwords for one user in FreeIPA
Anotace
Táto práca implementuje základnú podporu pre heslá špecifické pre aplikáciu vo FreeIPA, ktoré v záujme vyššej bezpečnosti nebudú použiteľné na správu konta. Navyše navrhuje schému na implementáciu podpory pre pokročilejšiu kontrolu prístupu pre heslá špecifické pre aplikáciu, ktorá by umožnila pre každé heslo špecifické pre aplikáciu povoliť prístup iba k špecifikovanej množine systémov a služieb. …více
Abstract
This thesis implements basic support for application-specific passwords in FreeIPA, which will not be usable for account management to improve security. On top of that, it proposes a scheme to implement support for more advanced access control for application-specific passwords that would enable to allow access only to a specified set of systems and services for each application-specific password. …více
Zadání práce
FreeIPA is an authentication and authorization server. At the moment, FreeIPA does not currently allow users to have more than one password. The aim of the thesis is to allow to use multiple passwords for single user.
Motivation
There are many possible use cases for multiple passwords for single user account.
Several fall under a category that could be broadly defined as ‘application-specific passwords’ (as Google refers to it), or possibly ‘partially trusted credentials’, or something alike.
For instance: I have my mail server configured to use FreeIPA authentication via PAM. I have three computers, two phones and a tablet configured to use my email server with my user ID and password. Then the tablet gets stolen.
Now I have to change the single password on my account, and reconfigure all systems that authenticate to anything using that password to use the new one, including all five other mail client applications.
If I could create multiple passwords, I could create one for each of the devices I want to use as an email client. If the device is then stolen or I feel I can no longer be sure its credentials are secure for any other reason – say, I logged in over an unsecured hotel Wi-Fi network, or something – I can revoke or change just its password, without needing to revoke or change the others.
Basic part
Simply allowing multiple passwords per account would be a good start. Maybe a very limited form of ‘access control’ could be done by only allowing the subsidiary/secondary/application-specific/whatever passwords to be configured after logging in with the ‘master’ password.
Advanced part
Ideally, this model could be quite sophisticated, and allow you to configure access based on the password used to log into an account – if I log in with the ‘master’ password I get full access to the account, including changing all the other passwords and access to all services.
If I log in with an application-specific password, I can only access a particular subset of systems and services that password is allowed access to (e.g. it could grant access only to log in to the mail server).
This advanced part includes a basic user interface and an extension to how access policies are managed.
21. 7. 2020 16:56, prof. RNDr. Václav Matyáš, M.Sc., Ph.D., učo 344
Vedoucí
Práce na příbuzné téma
Seznam prací, které mají shodná klíčová slova.
-
FreeIPA Manager
Bc. Kristián Leško -
Management of Business Processes and IT Strategy: A Reflection on Selected Seminar Works
Bc. Martina Brezovanová -
Identity management ve společnosti
Mgr. Martin Trojan -
Motivace uživatelů používat bezpečná hesla
Mgr. Petra Kalábová, učo 324669 -
A solution for reviewing and revoking user access in a Microsoft 365 environment
Bc. Vojtech Jánoš -
FreeIPA Modern WebUI External Custom Plugins Infrastructure
Ing. Erik Belko -
Správa SSL certifikátů v aplikačním serveru WildFly
Mgr. Filip Bogyai, učo 395959 -
Ansible Collection for Perun
Bc. Šimon Brauner




