[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] One time password
From: |
Derek Robert Price |
Subject: |
Re: [PATCH] One time password |
Date: |
Tue, 19 Aug 2003 12:33:51 -0400 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark D. Baushke wrote:
|Hi Brian,
|
|I am somewhat ambivalent about your patch.
|
|It is not clear to me how shell scripts might be
|able to pass an appropriate one-time-password to
|cvs.
Well, they shouldn't be able to, really. OTPs usually require a human
with a little device that they can punch the PAM prompt into and which
then supplies a new, use-once password.
|Is this lack is why there is no sanity.sh
|infrastructure to deal with this new feature?
|
|If it is only possible to read from /dev/tty, then
|perhaps that fact also needs to be included in the
|documentation?
I think this is the way to go with it.
|For myself, I might like to see it possible to use
|something like the ssh-askpass program such as is
|used by OpenSSH when there is a need to ask the
|user for a password, but /dev/tty is not a
|controlling terminal device?
Ooh, I'm afraid of getting involved with GUI plugins at this point. Do
you have an architecture in mind?
What sort of cases were you attempting to handle? CVS wrapper scripts?
Individual users and sysadmins would still be free to set up SSH if they
prefer.
|I do understand the desire to get prompted by
|a one-time-password, but wonder if :ext: using
|"ssh" as a transport does not already solve this
|problem more efficiently?
Maybe, but despite my personal preference for SSH as well, some users
still find various reasons to object to this setup.
|I believe I would like to see either Derek or Larry
|give it a thumbs-up or down.
I probably shouldn't give it a thumbs-down yet, since I suggested the
patch in the first place. :)
I'm open to discussion, but thought that given that we were adding PAM
support in the first place, it would be worthwhile to support OTP. At
the least, it would enable sysadmins to sidestep the almost-clear-pass
security problem if they wish to.
Derek
- --
~ *8^)
Email: derek@ximbiot.com
Get CVS support at <http://ximbiot.com>!
- --
HAMLET No, not I.
~ I never gave you aught.
OPHELIA
~ My honoured lord, you know right well you did,
~ And with them words of so sweet breath composed
~ As made the things more rich. Their perfume lost,
~ Take these again. For to the noble mind
~ Rich gifts wax poor when givers prove unkind.
~ There, my lord.
~ - Hamlet, Act III, Scene 1, Lines 96-102
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQE/QlFuLD1OTBfyMaQRAvukAKDfxROOsv7DVWHQ0n5mSuBlqbQD4QCg5LZa
CwLUCQTeqd9dbA8bAZ0lAvA=
=F4OB
-----END PGP SIGNATURE-----
- [PATCH] One time password, Brian Murphy, 2003/08/18
- Re: [PATCH] One time password, Mark D. Baushke, 2003/08/19
- Re: [PATCH] One time password,
Derek Robert Price <=
- Re: [PATCH] One time password, Mark D. Baushke, 2003/08/22
- Re: [PATCH] One time password, Derek Robert Price, 2003/08/22
- Re: [PATCH] One time password, Brian Murphy, 2003/08/20
- Re: [PATCH] One time password, Brian Murphy, 2003/08/21
- Re: [PATCH] One time password, Brian Murphy, 2003/08/22
- Re: [PATCH] One time password, Brian Murphy, 2003/08/22