Application-specific passwords / Multiple passwords for one user in FreeIPA

FreeIPA is an authentication and authorization server. At the moment, FreeIPA does not currently allow users to have more than one password. Aim of the thesis is to allow to use multiple passwords for single user.


There are many possible use cases for multiple passwords for single user account:
Several fall under a category that could be broadly defined as ‘application specific passwords’ (as Google refers to it), or possibly ‘partially trusted credentials’, or something.

For instance: I have my mail server configured to use FreeIPA authentication via PAM. I have three computers, two phones and a tablet configured to use my email server with my user ID and password. Then the tablet gets stolen.

Now I have to change the single password on my account, and re-configure all systems that authenticate to anything using that password to use the new one, including all five other mail client apps.

If I could create multiple passwords, I could create one for each of the devices I want to use as an email client. If the device is then stolen or I feel I can no longer be sure its credentials are secure for any other reason – say, I just logged in over an unsecured hotel wifi network, or something – I can revoke or change just its password, without needing to revoke or change the others.

Basic part

Simply allowing multiple passwords per account would be a good start. Maybe a very limited form of ‘access control’ could be done by only allowing the subsidiary/secondary/application-specific/whatever passwords to be configured after log in with the ‘master’ password.

Advanced part

Ideally, this model could be quite sophisticated, and allow you to configure access based on the password used to log into an account – if I log in with the ‘master’ password I get full access to the account, including changing all the other passwords and access to all services.

If I log in with an application specific password, I can only access a particular subset of systems and services that password is allowed access to (e.g., it could grant access only to log in to the mail server).

This advanced part includes basic user interface and an extension to how access policies are managed.


This topic is no longer accepting new applications!

Stanislav Láznička

Location: Brno