[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian two-factor auth, GSoC?



Hi,

DSA are already looking at two factor authentication, but TOTP based rather
than HOTP.  There are plenty of TOTP calculators that could be deployed on
smart phones, etc. rather than requiring DDs to own a YubiKey (and have USB
port available... i wonder if my iPad has a USB port...).

Interestingly, OpenSSH 6.2 (just released) now offers two-factor authentication
so we can augment ssh keys with TOTP.

Aslo, we have sso.debian.org, whose use we should expand.

I can help with a GSoC but I think DSA would prefer to lean in the direction of
the above.

Finally, if we are going to require DDs to have a physical object, I'm more in
favour of an OpenPGP token than an OTP token.  The OpenPGP token could then
power gpg (yes, Luca, we get that :) ) and act as an ssh-agent.  Couple that
with OTP, and we have quite strong overall solution, I think.

Let me know your thoughts,

Luca

On Thu, Apr 11, 2013 at 08:10:40PM +0200, Daniel Pocock wrote:
> 
> 
> Fedora recently put in Yubikey for their packagers[1], although they are
> only half way there, supporting sudo but not web auth so far.
> 
> Similar things could probably happen in Debian.
> 
> I've proposed two-factor authentication as a potential area for a GSoC
> project[2], two things come up:
> 
> a) would anyone else be interested in co-mentoring in this area (e.g.
> development of tools to support/administer two factor auth)?
> 
> b) would anyone be interested in seeing this in Debian infrastructure,
> has it been discussed before, and could this provide guidance to any
> students proposing a project in this area?
> 
> Even if you don't have time to formally commit to GSoC, it would be
> useful to have feedback from people who have experienced this in other
> projects and would like to see it in Debian.
> 
> 
> 1. https://fedoraproject.org/wiki/Infrastructure/Yubikey
> 
> 
> 2.
> http://wiki.debian.org/SummerOfCode2013/Projects#One-time-password_.28token.29_based_authentication_and_transactions
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: 5166FCA0.70504@pocock.com.au">http://lists.debian.org/5166FCA0.70504@pocock.com.au
> 

-- 
Luca Filipozzi
http://www.crowdrise.com/SupportDebian


Reply to: