Re: [RFR] templates://yubico-pam/{libpam-yubico.templates}
Christian PERRIER wrote:
> _Description: Parameters for Yubico PAM:
Looks okay to me. Maybe I could squeeze it a bit shorter, but my
first couple of attempts definitely make it more obscure.
> Type: note
[...]
>
> This template can be considered debconf abuse. See debconf-devel(5)
> for details about why notes are usually considered as Evil,
> particularly at high priority. Most of the time, there is consensus
> about considering that such notices belong to README.Debian.
If that isn't enough, maybe the previous template could have an
addendum along the lines of:
(To avoid accidental lock-outs the module will not be active until
it is enabled with the "pam-auth-update" command.)
But my patch doesn't do this. In the control file:
> +Description: two-factor password+OTP (YubiKey) PAM module
> + This package provides the Yubico PAM module. It allows using
> + two-factor authentication with existing logins and passwords
> + and a YubiKey OTP (one-time password) that is validated against an online validation service.
>
> Avoiding to being the description by Yubico avoids a leading
> capital. Also, the most improtant information is what it is, not how
> it's named..:)
Even things that aren't sentences are allowed to start with a capital
letter sometimes! But dropping the word does make it feel less like
an advertisement...
> "It allows you" : not necessarily "me". More generally speaking we
> suggest avoiding possessive form. I'm also unsure about "It enables
> you to ...."
s/allows using/allows the use of/ ...or in fact I think I prefer
This package provides the Yubico PAM module. It enables the use of
two-factor authentication, with existing logins and passwords plus
a YubiKey One-Time Password that is validated against an online
validation service.
(With "plus" to help people add up to two, and "inline" expansion of
One-Time Password since we've already had OTP in the synopsis.)
> + The default validation service is the free YubiCloud. It is also
> + possible to setup a custom local validation service.
set up
One word as a noun, two as a verb (because you "set it up").
When you say "local" here you just mean "manually created by the site
admin", right? I would avoid that, since the next paragraph uses
"local" to mean "necessarily on the same host"; "custom validation
service" should be enough. Or since the repetition of "validation"
gets a bit annoying perhaps this should be merged into the previous
paragraph as something like:
a YubiKey One-Time Password that is validated against an online
validation service. The default is the free YubiCloud, but it is easy
to set up a custom service.
> .
> A second mode of operation is available using the YubiKeys HMAC-SHA-1
> + Challenge-Response functionality. Using this mode,
"The YubiKey's [...] functionality" needs an apostrophe.
> + offline validation can be done with a YubiKey, for example on a laptop computer.
An easier way of avoiding pronouns would be to say
This allows for offline validation
using a YubiKey, for example on a laptop computer.
> + This only works for local logins though, and not for remote logins such
> + as SSH.
Needs an extra comma, and pedantically speaking "SSH logins" rather
than "SSH" (the protocol), so I might as well rework it completely:
However, this
only works for local logins, not for instance SSH logins.
By the way, I've just noticed (too late for this patch) that
Homepage: http://code.google.com/p/yubico-pam/
should now point towards https://github.com/Yubico/yubico-pam.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
diff -ru yubico-pam-2.10.pristine/debian/control yubico-pam-2.10/debian/control
--- yubico-pam-2.10.pristine/debian/control 2012-01-02 20:31:23.000000000 +0000
+++ yubico-pam-2.10/debian/control 2012-01-10 21:20:13.359695549 +0000
@@ -25,16 +25,14 @@
debconf | debconf-2.0,
${shlibs:Depends},
${misc:Depends}
-Description: Yubico two-factor password+OTP (YubiKey) PAM module
- This is the Yubico PAM module. It enables you to set up your system to
- require two-factor authentication with your normal username and password
- and a YubiKey OTP that is validated against an online validation service.
+Description: two-factor password+OTP (YubiKey) PAM module
+ This package provides the Yubico PAM module. It enables the use of
+ two-factor authentication, with existing logins and passwords plus
+ a YubiKey One-Time Password that is validated against an online
+ validation service. The default is the free YubiCloud, but it is easy
+ to set up a custom service.
.
- The default validation service is the free YubiCloud, but you can easily
- set up and use your own validation service.
- .
- A second mode of operation is available using the YubiKeys HMAC-SHA-1
- Challenge-Response functionality. Using this mode, you can accomplish
- offline validation using a YubiKey, for example on a laptop computer.
- This only works for local logins though, and not for logging in using
- for example SSH.
+ A second mode of operation is available using the YubiKey's HMAC-SHA-1
+ Challenge-Response functionality. This allows for offline validation
+ using a YubiKey, for example on a laptop computer. However, this only
+ works for local logins, not for instance SSH logins.
diff -ru yubico-pam-2.10.pristine/debian/libpam-yubico.templates yubico-pam-2.10/debian/libpam-yubico.templates
--- yubico-pam-2.10.pristine/debian/libpam-yubico.templates 2012-01-01 16:06:07.000000000 +0000
+++ yubico-pam-2.10/debian/libpam-yubico.templates 2012-01-10 20:47:26.467695486 +0000
@@ -2,12 +2,12 @@
Type: string
Default: mode=client try_first_pass id=N key=K
_Description: Parameters for Yubico PAM:
- The Yubico PAM module supports two modes of operation - online
+ The Yubico PAM module supports two modes of operation: online
validation of YubiKey OTPs or offline validation of YubiKey HMAC-SHA-1
responses to challenges.
.
The default is online validation, and for that to work you need to get
- an API key (they are free) at https://upgrade.yubico.com/getapikey/ and
+ a free API key at https://upgrade.yubico.com/getapikey/ and
enter the key id as "id=NNNN" and the base64 secret as "key=...".
.
All the available parameters for the Yubico PAM module are described
@@ -17,4 +17,5 @@
Type: note
_Description: Yubico PAM module disabled by default
To avoid locking anyone out of their system, the Yubico PAM module is
- not activated by default. Use the program `pam-auth-update' to enable it.
+ not activated by default. It can be enabled with the "pam-auth-update"
+ command.
Template: libpam-yubico/module_args
Type: string
Default: mode=client try_first_pass id=N key=K
_Description: Parameters for Yubico PAM:
The Yubico PAM module supports two modes of operation: online
validation of YubiKey OTPs or offline validation of YubiKey HMAC-SHA-1
responses to challenges.
.
The default is online validation, and for that to work you need to get
a free API key at https://upgrade.yubico.com/getapikey/ and
enter the key id as "id=NNNN" and the base64 secret as "key=...".
.
All the available parameters for the Yubico PAM module are described
in /usr/share/doc/libpam-yubico/README.gz.
Template: libpam-yubico/disabled_by_default
Type: note
_Description: Yubico PAM module disabled by default
To avoid locking anyone out of their system, the Yubico PAM module is
not activated by default. It can be enabled with the "pam-auth-update"
command.
Source: yubico-pam
Maintainer: Yubico Open Source Maintainers <ossmaint@yubico.com>
Uploaders: Fredrik Thulin <fredrik@yubico.com>, Simon Josefsson <simon@josefsson.org>
Section: admin
Priority: optional
Build-Depends: debhelper (>= 8),
po-debconf,
pkg-config,
cdbs,
libykclient-dev (>= 2.4),
libpam0g-dev,
libldap2-dev,
libykpers-1-dev (>= 1.5.2),
libyubikey-dev
Standards-Version: 3.9.2
Homepage: http://code.google.com/p/yubico-pam/
DM-Upload-Allowed: yes
Package: libpam-yubico
Architecture: any
Depends: libpam-runtime (>= 1.0.1-6~),
libykclient3 (>= 2.4),
libldap-2.4-2,
libykpers-1-1 (>= 1.5.2),
debconf | debconf-2.0,
${shlibs:Depends},
${misc:Depends}
Description: two-factor password+OTP (YubiKey) PAM module
This package provides the Yubico PAM module. It enables the use of
two-factor authentication, with existing logins and passwords plus
a YubiKey One-Time Password that is validated against an online
validation service. The default is the free YubiCloud, but it is easy
to set up a custom service.
.
A second mode of operation is available using the YubiKey's HMAC-SHA-1
Challenge-Response functionality. This allows for offline validation
using a YubiKey, for example on a laptop computer. However, this only
works for local logins, not for instance SSH logins.
Reply to: