|
| From: | Tim Eggleston |
| Subject: | Re: [OATH-Toolkit-help] pam_oath and multiple tokens for a user |
| Date: | Thu, 31 May 2012 21:46:19 +0100 |
| User-agent: | Roundcube Webmail/0.8-rc |
Hi Simon,
Having the same secret in several devices is usually not a good idea -- instead, how about a scheme to have multiple lines in users.oath for thesame user but with different OATH secrets? Then each OTP could betested against all lines for a user, to find which device is relevant,and then that line could be updated.
Perfect! This is exactly what I was hoping for. As well as enabling flexibility in cases such as mine (where I use a couple of Yubikeys day-to-day), it would also allow us to be a bit stronger with our pam config: we could configure a backup token which was stored somewhere safe & secure, and then we could require the OTP to authenticate instead of making it "sufficient", knowing that even if we lost our primary token we could always fall back to the backup.
I did have a look through the code in the hope that it might be simple enough for me to submit a patch (I don't like just requesting features!), but unfortunately as an infrastructure guy it's a bit beyond me. I do think it would be a very powerful addition to the capabilities though and I hope you would consider adding it... if I could do anything to help move it forward, such as alpha testing or whatever, just let me know!
Cheers, -- Tim
| [Prev in Thread] | Current Thread | [Next in Thread] |