[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] pam_oath and multiple tokens for a user

From: Tim Eggleston
Subject: Re: [OATH-Toolkit-help] pam_oath and multiple tokens for a user
Date: Thu, 31 May 2012 21:46:19 +0100
User-agent: Roundcube Webmail/0.8-rc

Hi Simon,

Having the same secret in several devices is usually not a good idea -- instead, how about a scheme to have multiple lines in users.oath for the
same user but with different OATH secrets? Then each OTP could be
tested against all lines for a user, to find which device is relevant,
and then that line could be updated.

Perfect! This is exactly what I was hoping for. As well as enabling flexibility in cases such as mine (where I use a couple of Yubikeys day-to-day), it would also allow us to be a bit stronger with our pam config: we could configure a backup token which was stored somewhere safe & secure, and then we could require the OTP to authenticate instead of making it "sufficient", knowing that even if we lost our primary token we could always fall back to the backup.

I did have a look through the code in the hope that it might be simple enough for me to submit a patch (I don't like just requesting features!), but unfortunately as an infrastructure guy it's a bit beyond me. I do think it would be a very powerful addition to the capabilities though and I hope you would consider adding it... if I could do anything to help move it forward, such as alpha testing or whatever, just let me know!


 -- Tim

reply via email to

[Prev in Thread] Current Thread [Next in Thread]