Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Utilities Suggestions
  New Posts New Posts RSS Feed - One Time passwords
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

One Time passwords

 Post Reply Post Reply
Author
Message
S.G.Botsford View Drop Down
Newbie
Newbie


Joined: 13 December 2005
Location: Canada
Status: Offline
Points: 17
Post Options Post Options   Thanks (0) Thanks(0)   Quote S.G.Botsford Quote  Post ReplyReply Direct Link To This Post Topic: One Time passwords
    Posted: 23 March 2006 at 2:25pm

I work in a school, where free time computer access is restricted for students who are having academic problems and who spend too much time playing games or surfing.
(This is a Samba/Win2K setup. Accounts are selectively enabled during class/study time by a script on the server)

However even kids on academic probation have legitimate needs to use the computers. Currently the teacher sends the kid with a note, and I manually enable his account.

What I would like is some form of secondary login using a ticket. That is, after the conventional login, if the student is on academic probation, and it is a non-academic time, he's given a second login. At that point he has a ticket that has QFMP as the user, and 1234 as the password. This combination can be used once and only once, and is tied to the user. (He can't steal someone else's ticket.)

In this way a teacher can pick up tickets from me to allow specific kids to work at times when I'm not present to override their account.

****

Ok, but this is a pretty specialized use.

Consider this:
Give users the local admin password on their computer, but they need a ticket for the secondary login. Some applications need admin rights to install. So if you are distributing an upgrade, you also distribute a temporary right to become an administrator to install it. Sure it has weaknesses. All security matters are tradeoffs between ease of use and security.

For maximum usability/security in a corporate environment a ticket should be able to:
Be restricted to a given machine, or given class of machines.
Be restricted to an amount of time.
Have an expiry date.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down