Phaust Posted February 2, 2021 Share Posted February 2, 2021 For an automation process we have, we would need to create a large number of password lists in one Passwordstate folder for an 'admin' account. Those password lists will be shared with exactly 1 person, and contain a password to a service. We would like those people to be able to access Passwordstate API to retrieve said passwords. The users can't use WinAPI, as the machine they will be accessing Passwordstate API from, doesn't have an AD account for them. Hence, the users are limited to using the default API. To connect to it, they need to have an API key. However, we can't generate nor set an API key for them programmatically. We can't generate API keys manually, as it's too much manual work on our end. We can't let users generate their API key themselves, because for that they have to have at least M or A priviledges, and we would like to have them limited to V. Hence, we would like to have a WinAPI endpoint to generate \ set an API key for a given password list. Do you think it sounds reasonable? eydus, Mordecai and Martin_Castillo 3 Link to comment Share on other sites More sharing options...
support Posted February 2, 2021 Share Posted February 2, 2021 Hello Phaust, For your comment of "as the machine they will be accessing Passwordstate API from", can you tell us why this is - are they using Windows Machines or Linux? Thanks Click Studios Link to comment Share on other sites More sharing options...
Phaust Posted February 2, 2021 Author Share Posted February 2, 2021 1 hour ago, support said: Hello Phaust, For your comment of "as the machine they will be accessing Passwordstate API from", can you tell us why this is - are they using Windows Machines or Linux? Thanks Click Studios Hey! For the use case I have in mind, it's a Linux machine with no AD account on it. I am aware of the possibility of running WinAPI on Linux, but that won't work as the users can't use DefaultCredentials (bcz of lack of AD account on the machine), and if they were to provide their AD password directly to WinAPI with plaintext credentials - it will completely defeat the purpose of using Passwordstate. We aim to use it to avoid passing AD password in plain text to perform SSO, but rather retrieve a password from Passwordstate programmatically, where we can limit the potential disaster effect of revealing the auth method to Passwordstate. If an API key leaks - we have 1 password compromised (as there's only 1 password in that password list), but if an AD password leaks - we have the whole Passwordstate database for the taking. Thus, generating plain API keys using WinAPI would help us tremendously. Hope that makes sense. Mordecai and eydus 2 Link to comment Share on other sites More sharing options...
support Posted February 3, 2021 Share Posted February 3, 2021 Thanks, and yes that makes sense. Regards Click Studios Link to comment Share on other sites More sharing options...
Mordecai Posted October 17, 2023 Share Posted October 17, 2023 +1 Any news on this topic? Link to comment Share on other sites More sharing options...
arajwade Posted August 30 Share Posted August 30 Any update on this Feature request? This seems to be gap that there is no API to generate / set a API key for a password list. This is Security related issue Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now