On Wed, Mar 6, 2013 at 10:19 AM, Matthew Walker <[email protected]>wrote:
> [removed garbage about password auth being wonderful...] > > I don't feel passwords are any more or less secure than keys. In some > cases keys can be even less secure if you're doing agent forwarding. > > This being said -- we have two factor auth available on labsconsole; I'd > love it if two factor auth was also enabled by request for shells. I've > done this on personal servers of mine using google's solution [1]. I don't > think it would be too hard to implement on labs when time is available -- > it's controlled by a file in the home directory (which might be able to be > moved, haven't looked deeply.) > > [1] https://google-authenticator.googlecode.com/ > That's not scalable, and it's insecure on untrusted systems. There's alternative ways to set up OATH (https://github.com/mricon/totp-cgi/for instance), but it's really annoying for end users. I've considered this and went as far as testing it. It really sucks having to type your token in every single time you want to log into any instance. OATH isn't any more secure than properly using ssh keys, anyway, since it's two-factor when a passphrase is used on the key. - Ryan
_______________________________________________ Labs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/labs-l
