Hi, >>> 2) Would it be possible to leave the 2:nd channel (delivery of the > pin) >>> to a separate user supplied script? In that case it would be simple > for >>> the admin to setup the delivery as desired by eg. a simple shell > script, >>> SMS, HTTP(S), netcat magic, SMTP, etc.? This would be a very simple, >>> and yet flexible and powerful approach. >> >> It is an excellent idea to give flexibility. >> >> It should be possible to define which application will be run to >> present the pin to the user - possibily in the same file where the >> shared secrets are stored, so that each user can have its own delivery >> (email for someone, web-sms gateway for someone else, etc.). >> >> Example : /etc/otp >> $USER:$SHAREDSECRET:$DELIVERY >> >> $DELIVERY would simply be the path to a script, with say $1 as the pin >> to deliver and $2 as the user to deliver it to to offer flexibility. > > Seems like a good, simple and flexible "interface" between the core > OTP > and the delivery script/app. > >> The file would be optional (if delivery is not defined, simply display >> the pin within login by default) - along with a default shared secret, >> randomly generated at compile-time . > > The default may also apply if the user is not found in the file.
Some thoughts on the defaults: 1) OTP should not be enabled by default in bb. It should require an active config, like CONFIG_FEATURE_LOGIN_OTP. (I guess all agree on this one) 2) Even when compiled with OTP I think it should be easy to disable OTP for some users. Some examples: # cat /etc/otp $UID1:$SHAREDSECRET:$DELIVERY $UID2:$SHAREDSECRET: a) $UID1 will get the PIN delivered by the configured $DELIVERY. b) $UID2 will get the PIN within login (the default). c) $UID3 will not benefit from OTP at all (not present in /etc/otp). 3) When compiled with OTP, default for the special case with no /etc/otp could be argued, but here are my 2 cents: a) No /etc/opt => enable the default for all users (PIN in login) b) Empty /etc/otp => OTP disabled for all users (consistent with 2) /Sven _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
