4

I've got a Ubuntu virtual server that I use for webhosting and other stuff. I've been thinking about moving mail onto it, but I'd like to secure it more against the threat of losing my smartphone. Google has 2 step verification systems that allow devices to have their own password.

Is there a standard UNIX-y way of allowing one account to have multiple credentials, so that I can revoke one later without revoking all of them?

jldugger
  • 14,122
  • 19
  • 73
  • 129
  • did you ever figure this out? i don't want to switch to the passdb scheme for my Dovecot server, but would like to use allow application specific passwords for my mail accounts using PAM... – RapidWebs Jun 14 '14 at 06:43

2 Answers2

2

With PAM everything is possible. That's why "P" stands for pluggable. You can use multi-factor authentication, one time passwords, iris scanners and whatever you like (and for what a plug-in exists).

One of the plug-ins is Google Authenticator for two factor authentication. See this post for instructions and source code: http://www.mnxsolutions.com/security/two-factor-ssh-with-google-authenticator.html

mailq
  • 16,882
  • 2
  • 36
  • 66
  • 1
    the title clearly says "application specific password", which, for example, is used with Google authenticator to allow totally separate passwords for mail. this does not answer the question – RapidWebs Jun 14 '14 at 06:40
  • everything is *not* possible; unless you are willing to write a C modules for PAM, you are bound to what actually exists! – RapidWebs Jun 14 '14 at 06:42
1

Is there a standard UNIX-y way of allowing one account to have multiple credentials, so that I can revoke one later without revoking all of them?

Depending on how you access your system (and use these accounts) you could do that very easily with SSH and key based authentication.

The valid credentials (public keys) are stored in ~/.ssh/authorized_keys or ~/.ssh/authorized_keys2. If one user shouldn't be able to access the related user account any more, just remove their key from authorized_keys.

joschi
  • 20,747
  • 3
  • 46
  • 50