Hi, DSA are already looking at two factor authentication, but TOTP based rather than HOTP. There are plenty of TOTP calculators that could be deployed on smart phones, etc. rather than requiring DDs to own a YubiKey (and have USB port available... i wonder if my iPad has a USB port...).
Interestingly, OpenSSH 6.2 (just released) now offers two-factor authentication so we can augment ssh keys with TOTP. Aslo, we have sso.debian.org, whose use we should expand. I can help with a GSoC but I think DSA would prefer to lean in the direction of the above. Finally, if we are going to require DDs to have a physical object, I'm more in favour of an OpenPGP token than an OTP token. The OpenPGP token could then power gpg (yes, Luca, we get that :) ) and act as an ssh-agent. Couple that with OTP, and we have quite strong overall solution, I think. Let me know your thoughts, Luca On Thu, Apr 11, 2013 at 08:10:40PM +0200, Daniel Pocock wrote: > > > Fedora recently put in Yubikey for their packagers[1], although they are > only half way there, supporting sudo but not web auth so far. > > Similar things could probably happen in Debian. > > I've proposed two-factor authentication as a potential area for a GSoC > project[2], two things come up: > > a) would anyone else be interested in co-mentoring in this area (e.g. > development of tools to support/administer two factor auth)? > > b) would anyone be interested in seeing this in Debian infrastructure, > has it been discussed before, and could this provide guidance to any > students proposing a project in this area? > > Even if you don't have time to formally commit to GSoC, it would be > useful to have feedback from people who have experienced this in other > projects and would like to see it in Debian. > > > 1. https://fedoraproject.org/wiki/Infrastructure/Yubikey > > > 2. > http://wiki.debian.org/SummerOfCode2013/Projects#One-time-password_.28token.29_based_authentication_and_transactions > > > -- > To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/5166fca0.70...@pocock.com.au > -- Luca Filipozzi http://www.crowdrise.com/SupportDebian -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130411190440.ga32...@emyr.net