#11828: Look into using one-time-passwords as secondary authentication method for baron -------------------------+---------------------------- Reporter: zooey | Owner: haiku-sysadmin Type: task | Status: new Priority: normal | Milestone: Component: Sys-Admin | Version: Resolution: | Keywords: Blocked By: | Blocking: Has a Patch: 0 | Platform: All -------------------------+---------------------------- Comment (by jprostko): Replying to [comment:18 zooey]: > Centinel, jprostko: I'm impressed :-) Thanks! I'll admit that Centinel has done most of the work so far, although I have been doing testing when I can. > Once you've ironed out that last subtle detail, I think we can copy your OTP implementation onto on of the VMs running on baron (either vmdev or vmweb). Isn't the plan to update them to OpenSuse 13.2 first due to the "PAM lag" issue present in 13.1? > While thinking about the VMs, an "interesting" aspect crossed my mind: vmrepo hosts the git repositories, so a lot of people login via ssh in order to push any changesets upstream. The interesting part is that this includes admins, too. We can't ask every of these users for an OTP every time they push a changeset, so maybe we should limit the OTP requirement to the invocation of sudo? What do you think? Would it maybe even make sense to implement that scheme generally, i.e. only every require OTP for sudo? This is an interesting problem. Centinel will probably have a better answer, but I think it should be a matter of adding the pam_oath.so line to the /etc/pam.d/sudo file. It is kind of interesting to only require OTP for running sudo, although that could potentially get annoying if the sudo timeout (timestamp_timeout) isn't set relatively high. I guess it depends on a given admin's workflow though. -- Ticket URL: <https://dev.haiku-os.org/ticket/11828#comment:19> Haiku <https://dev.haiku-os.org> Haiku - the operating system.