Jump to content

Passwordstate API to allow setting API key for a Password List


Phaust
 Share

Recommended Posts

For an automation process we have, we would need to create a large number of password lists in one Passwordstate folder for an 'admin' account.

Those password lists will be shared with exactly 1 person, and contain a password to a service. We would like those people to be able to access Passwordstate API to retrieve said passwords.

The users can't use WinAPI, as the machine they will be accessing Passwordstate API from, doesn't have an AD account for them.

Hence,  the users are limited to using the default API. To connect to it, they need to have an API key. However, we can't generate nor set an API key for them programmatically.

We can't generate API keys manually, as it's too much manual work on our end. We can't let users generate their API key themselves, because for that they have to have at least M or A priviledges, and we would like to have them limited to V. 

Hence, we would like to have a WinAPI endpoint to generate \ set an API key for a given password list.

Do you think it sounds reasonable? 

Link to comment
Share on other sites

1 hour ago, support said:

Hello Phaust,

 

For your comment of "as the machine they will be accessing Passwordstate API from", can you tell us why this is - are they using Windows Machines or Linux?

Thanks

Click Studios

Hey!

 

For the use case I have in mind, it's a Linux machine with no AD account on it. I am aware of the possibility of running WinAPI on Linux, but that won't work as the users can't use DefaultCredentials (bcz of lack of AD account on the machine), and if they were to provide their AD password directly to WinAPI with plaintext credentials - it will completely defeat the purpose of using Passwordstate. We aim to use it to avoid passing AD password in plain text to perform SSO, but rather retrieve a password from Passwordstate programmatically, where we can limit the potential disaster effect of revealing the auth method to Passwordstate. If an API key leaks - we have 1 password compromised (as there's only 1 password in that password list), but if an AD password leaks - we have the whole Passwordstate database for the taking. Thus, generating plain API keys using WinAPI would help us tremendously.

Hope that makes sense.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...