On 19/05/2015 20:26, Simon Josefsson wrote: > > I'm a bit mixed whether this is the best path to pursue, or wheter it > would be better to recommend an indirect path such as Radius or > something else. [...] It comes with some additional complexity cost, > though, but maybe it is not significant. > > Still, as you suggest, the direct path is relatively easy to put > together and solves the problem. Perhaps there is room for documenting > how to do both properly.
This last para sums it up I think. Putting other pre-reqs in the way adds to the technical barrier needed to make it work. For myself, I came across this project when looking for OTP solutions for my small internet-facing project box and putting other unfamiliar pre-reqs up may have had me looking around for other options: not because I don't agree with the principal but more it seemed overkill to get to grips with something unfamiliar for a server that has three or four users at most :-) That said, even with priviledge seperation for login, there still needs to be a way for end-users to reset their PIN should they want to: I don't know if moving to (say) Radius or LDAP changes that, other than the userland tooling might need to be a little different. Chris
