Re: Debian two-factor auth, GSoC?

[Daniel Pocock <daniel@pocock.com.au>]

On 12/04/13 07:56, Thomas Goirand wrote:
> On 04/12/2013 03:25 AM, Tollef Fog Heen wrote:
>> The Yubikey neo can run the java applet thingies, it seems, so it can
>> act as a GPG token too. 
> Please, please, please ... no java!!!
> That's a security nightmare. I think we'd be less safe with
> than without it.
> 
> Also, while I think the idea is nice, and that it would be a nice
> thing to *propose* it to all DDs, I think it would be annoying
> to actually *require* 2 factors auth from DDs (especially with
> the ssh keys on Alioth).
> 

There was never any suggestion to make something mandatory, I actually
agree with those concerns

Given the nature of Debian, it would be a personalised solution

So, if a DD regularly accesses Debian infrastructure from a PC that he
does not control (e.g. a work PC) he can choose to use TOTP instead of a
password.  A DD who always uses a personal laptop may prefer to use an
ssh key.  It is all about choice.

With the right tools, DDs would have these choices each time they log
in, or any one person can choose to make *OTP mandatory for their own login.

So any potential GSoC project may involve making tools that allow DDs to
set this up, the way they want, quickly - but only if they want it.