Hi Simon,
Having the same secret in several devices is usually not a good idea
--
instead, how about a scheme to have multiple lines in users.oath for
the
same user but with different OATH secrets? Then each OTP could be
tested against all lines for a user, to find which device is
relevant,
and then that line could be updated.
Perfect! This is exactly what I was hoping for. As well as enabling
flexibility in cases such as mine (where I use a couple of Yubikeys
day-to-day), it would also allow us to be a bit stronger with our pam
config: we could configure a backup token which was stored somewhere
safe & secure, and then we could require the OTP to authenticate instead
of making it "sufficient", knowing that even if we lost our primary
token we could always fall back to the backup.
I did have a look through the code in the hope that it might be simple
enough for me to submit a patch (I don't like just requesting
features!), but unfortunately as an infrastructure guy it's a bit beyond
me. I do think it would be a very powerful addition to the capabilities
though and I hope you would consider adding it... if I could do anything
to help move it forward, such as alpha testing or whatever, just let me
know!
Cheers,
-- Tim
