[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] oath.users: encrypted passwords and management t
|
From: |
Chris J |
|
Subject: |
Re: [OATH-Toolkit-help] oath.users: encrypted passwords and management tool |
|
Date: |
Wed, 20 May 2015 10:47:43 +0100 |
|
User-agent: |
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 |
On 19/05/2015 20:26, Simon Josefsson wrote:
>
> I'm a bit mixed whether this is the best path to pursue, or wheter it
> would be better to recommend an indirect path such as Radius or
> something else. [...] It comes with some additional complexity cost,
> though, but maybe it is not significant.
>
> Still, as you suggest, the direct path is relatively easy to put
> together and solves the problem. Perhaps there is room for documenting
> how to do both properly.
This last para sums it up I think.
Putting other pre-reqs in the way adds to the technical barrier needed
to make it work. For myself, I came across this project when looking for
OTP solutions for my small internet-facing project box and putting other
unfamiliar pre-reqs up may have had me looking around for other options:
not because I don't agree with the principal but more it seemed overkill
to get to grips with something unfamiliar for a server that has three or
four users at most :-)
That said, even with priviledge seperation for login, there still needs
to be a way for end-users to reset their PIN should they want to: I
don't know if moving to (say) Radius or LDAP changes that, other than
the userland tooling might need to be a little different.
Chris