Opened 10 years ago
Last modified 6 years ago
#11828 assigned task
Look into using one-time-passwords as secondary authentication method for baron — at Initial Version
| Reported by: | zooey | Owned by: | haiku-sysadmin |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Sys-Admin | Version: | |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
During last BeGeistert, Jonathan Schleifer suggested to use OTP as secondary authentication method on baron, such that people logging in via ssh would have to produce the appropriate one-time-password, too.
While this kind of two-factor-authentication seems to much of a hassle on things like git.haiku-os.org, I think it makes a lot of sense for baron itself (i.e. the hypervisor machine), maybe even for vmdev and vmweb.
One way of implementing this would be to install and configure the oath toolkit on whatever server we'd like to experiment with first. The respective SUSE-packages are pam_oath and oath-toolkit, provided by the security-repository.
Of course, for this to work, all admins would need to have some compatible client app running on their smartphone, as otherwise they could no longer log in. One of these apps is FreeOTP, but I think Google Authenticator should work, too.
I have no idea whether to use the time-base (TOTP) or event-based (HOTP) algorithm, so the pros/cons of these require some more research.
