One Time passwords
Joined: 13 December 2005
Posted: 23 March 2006 at 2:25pm
I work in a school, where free time computer access is restricted for students who are having academic problems and who spend too much time playing games or surfing.
(This is a Samba/Win2K setup. Accounts are selectively enabled during class/study time by a script on the server)
However even kids on academic probation have legitimate needs to use the computers. Currently the teacher sends the kid with a note, and I manually enable his account.
What I would like is some form of secondary login using a ticket. That is, after the conventional login, if the student is on academic probation, and it is a non-academic time, he's given a second login. At that point he has a ticket that has QFMP as the user, and 1234 as the password. This combination can be used once and only once, and is tied to the user. (He can't steal someone else's ticket.)
In this way a teacher can pick up tickets from me to allow specific kids to work at times when I'm not present to override their account.
Ok, but this is a pretty specialized use.
Give users the local admin password on their computer, but they need a ticket for the secondary login. Some applications need admin rights to install. So if you are distributing an upgrade, you also distribute a temporary right to become an administrator to install it. Sure it has weaknesses. All security matters are tradeoffs between ease of use and security.
For maximum usability/security in a corporate environment a ticket should be able to:
Be restricted to a given machine, or given class of machines.
Be restricted to an amount of time.
Have an expiry date.
|Forum Jump||Forum Permissions
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum