I understand that what I want is really strange.
We have something like shared build server (mac mini, yosemite), which is located in public place in office; basically everybody have physical access to it.
We have special user account created for our project needs, and all necessary tools / passwords etc are configured under this user account.
We have a rather big group of people, who should have physical access to this user account from time to time.
As a (predicted) result we have simple "password" which is known to everybody, even to people outside of this group.
Is there any way / third-party tool to use phone applications like Google Authenticator, which will allow access to this specific user account to a predefined group of people, without relying on just password?
In general I'm looking for any solution which might solve my problem – login to account with "public password" to specific people only.
Best Answer
There are dozens of 2FA pam plugins as well as automation tools to allow one user account to be tied to one iOS device or one iCloud account.
Where you will run into issues is having an N-to-one relation between one user account and multiple people's mobile phones. Without some sort of SMS group pool or server side setup, I don't think you'll find a pre-made solution.
I've used http://macid.co/get/ and it's more of a novelty than something I would trust in production. Here are two much better engineered solutions to modify the OS X authentication chain for two factor:
There are dozens of other companies and this uses the same hooks that smart card readers do to make OS X enforce additional code execution before a user can log in with the password. Yubico documents the
/etc/pam.d/authorizationfile you would change and also walks you through how you would modify the system (SIP prevents this change on recent OS releases) to run the code needed to validate or deny the login event.None of these will be less work than changing the password and setting up a way to distribute that password to only the mobile devices for the users allowed to know the new password. Make that system flexible and you can change the password daily or just when needed.