[haiku-sysadmin] Re: [Haiku] #11828: Look into using one-time-passwords as secondary authentication method for baron

  • From: "zooey" <trac@xxxxxxxxxxxx>
  • Date: Thu, 05 Feb 2015 19:50:16 -0000

#11828: Look into using one-time-passwords as secondary authentication method 
for
baron
-------------------------+----------------------------
   Reporter:  zooey      |      Owner:  haiku-sysadmin
       Type:  task       |     Status:  new
   Priority:  normal     |  Milestone:
  Component:  Sys-Admin  |    Version:
 Resolution:             |   Keywords:
 Blocked By:             |   Blocking:
Has a Patch:  0          |   Platform:  All
-------------------------+----------------------------
Description changed by zooey:

Old description:

> During last BeGeistert, Jonathan Schleifer suggested to use OTP as
> secondary authentication method on baron, such that people logging in via
> ssh would have to produce the appropriate one-time-password, too.
>
> While this kind of two-factor-authentication seems to much of a hassle on
> things like git.haiku-os.org, I think it makes a lot of sense for baron
> itself (i.e. the hypervisor machine), maybe even for vmdev and vmweb.
>
> One way of implementing this would be to install and configure
> [http://www.nongnu.org/oath-toolkit/ the oath toolkit] on whatever server
> we'd like to experiment with first. The respective SUSE-packages are
> pam_oath and oath-toolkit, provided by the `security`-repository.
>
> Of course, for this to work, all admins would need to have some
> compatible client app running on their smartphone, as otherwise they
> could no longer log in. One of these apps is FreeOTP, but I think Google
> Authenticator should work, too.
>
> I have no idea whether to use the time-base (TOTP) or event-based (HOTP)
> algorithm, so the pros/cons of these require some more research.

New description:

 During last BeGeistert, Jonathan Schleifer suggested to use OTP as
 secondary authentication method on baron, such that people logging in via
 ssh would have to produce the appropriate one-time-password, too.

 While this kind of two-factor-authentication seems to much of a hassle on
 things like git.haiku-os.org, I think it makes a lot of sense for baron
 itself (i.e. the hypervisor machine), maybe even for vmdev and vmweb.

 One way of implementing this would be to install and configure
 [http://www.nongnu.org/oath-toolkit/ the oath toolkit] on whatever server
 we'd like to experiment with first. The respective SUSE-packages are
 pam_oath and oath-toolkit, provided by the `security`-repository.

 Of course, for this to work, all admins would need to have some compatible
 client app running on their smartphone, as otherwise they could no longer
 log in. One of these apps is FreeOTP, but I think Google Authenticator
 should work, too.

 I have no idea whether to use the time-base (TOTP) or event-based (HOTP)
 algorithm, so the pros/cons of these require some more research.

 This link could be useful: [http://spod.cx/blog/two-factor-ssh-auth-with-
 pam_oath-google-authenticator.shtml], this is describing a setup for
 RHEL/CentOS, but it shouldn't be too difficult to transfer to openSUSE.

--

--
Ticket URL: <https://dev.haiku-os.org/ticket/11828#comment:1>
Haiku <https://dev.haiku-os.org>
Haiku - the operating system.

Other related posts:

  1. Home
  2. haiku-sysadmin
  3. Archive
  4. 02-2015