Educause Security Discussion mailing list archives

Re: Multiple of Single User Accounts

From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Thu, 22 Oct 2009 16:49:10 -0500

Flynn, Gerald wrote:

-----Original Message-----
Another issue that is rarely mentioned in this debate is the need to
protect some credentials more than others. A situation has recently
come to light here where a privileged user here exposed their
credentials to key infrastructure while accessing student systems. The
exposure was obscure (and certainly unintentional) but exists none the
less. Keeping accounts separate helps mitigate that accidental exposure
of credentials.


Speaking of account credentials, sync outsourced student email passwords
with campus passwords or not? I vote no. Too many external account/password
integration and syncing and phishing threats. Federation, when it becomes
available, is a better and acceptable solution. But until then...no
automated password syncing.


We're planning to deploy Google Docs and Sites (not Mail.)  I don't see
the day that we would ever hand our users' passwords over to a 3rd
party.  And, letting users pick a Google-only password would lead to
confusion, or the users will just use their normal campus password.

When I developed our shared Subversion repository, I followed the Google
Code model of creating token passwords.  Subversion clients will store
passwords, and we didn't want users' main NetID password to be laying
around in everyones' home directories.  We also didn't want to allow
users to choose their own passwords, since they would either use their
NetID password, or they would forget it and be bugging me for password
resets.  So, the solution is to let users login to a web site to obtain
a randomly generated token password that is to be used for only
Subversion access.  The users can reset their tokens, but they can't set
it to arbitrary values.

This system has worked extremely well for Subversion.  So, it seems like
a natural solution for Google Apps.  Although, we are still in a
planning phase, so who knows how it will work out in the end.  I don't
even know if Docs or Sites even offer non-SASL access points for
individual users.

Jesse

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Current thread:

Re: Multiple of Single User Accounts, (continued)
- Re: Multiple of Single User Accounts Stanclift, Michael (Oct 21)
- Re: Multiple of Single User Accounts Mark Borrie (Oct 21)
- Re: Multiple of Single User Accounts Gregg, Christopher S. (Oct 21)
- Re: Multiple of Single User Accounts Michael Fertig (Oct 21)
- Re: Multiple of Single User Accounts Eric Case (Oct 21)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Flynn, Gerald (Oct 22)
- Re: Multiple of Single User Accounts Stanclift, Michael (Oct 22)
- Re: Multiple of Single User Accounts Basgen, Brian (Oct 22)
- Re: Multiple of Single User Accounts Jesse Thompson (Oct 22)