Re: [PATCH] doas authentication type

I would like this. It has my OK for what it is worth here. On 8 Dec 2015 11:41 am, "Stuart Henderson" wrote: > On 2015/11/25 00:14, Stuart Henderson wrote: > > On 2015/11/24 11:24, Richard Johnson wrote: > > > We use 2-factor authn for sudo & doas, as well as for most logins.

Re: [PATCH] doas authentication type

Stuart Henderson wrote: > > > > Personally my take on this is that as long as it's just done as -a > > then it's small and simple to implement (pass a string from args to > > auth_userokay), and there's no other way to provide access to this which > > is an important, though lesser-known, part of

Re: [PATCH] doas authentication type

On 2015/11/25 00:14, Stuart Henderson wrote: > On 2015/11/24 11:24, Richard Johnson wrote: > > We use 2-factor authn for sudo & doas, as well as for most logins. > > Presently, we transport Yubikey and other HOTP strings across RADIUS to an > > otpd authserver > > Interesting...is that a fork of

Re: [PATCH] doas authentication type

On 2015-08-27 11:16, Theo de Raadt wrote: How many users of that functionality will there be? We only need to concern ourselves with the cost; you have to justify the benefit. How many people were doing this with sudo, and how many will need this with doas? My current model is to use my

Re: [PATCH] doas authentication type

security model. How many users of that functionality will there be? We only need to concern ourselves with the cost; you have to justify the benefit. How many people were doing this with sudo, and how many will need this with doas? While I understand it's a good idea to limit

Re: [PATCH] doas authentication type

On 27/08/15 19:08, Theo de Raadt wrote: doas is a one of the few setuid programs. It should try to do a little bit less functionality, because doing less is part of the security model. How many users of that functionality will there be? We only need to concern ourselves with the cost; you

Re: [PATCH] doas authentication type

Renaud Allard wrote: On 08/26/2015 06:39 PM, Michael Reed wrote: Hi Renauld, On 08/26/15 09:38, Renaud Allard wrote: I rewrote a little bit the patch to remove a small kind-of typo in the manpage and remove too long lines. So with this patch, you add the user the right to choose the

Re: [PATCH] doas authentication type

On 27/08/15 19:30, Theo de Raadt wrote: security model. How many users of that functionality will there be? We only need to concern ourselves with the cost; you have to justify the benefit. How many people were doing this with sudo, and how many will need this with doas? While I

Re: [PATCH] doas authentication type

Sorry, I think adding an option is too much. I just committed halex's o= riginal diff to only change the type. I thought he was going to do that by now.= Hi Ted, The thing is, my patch doesn't do the same thing at all as the one which adds auth-doas. My patch lets the user choose

Re: [PATCH] doas authentication type

On 27/08/15 18:32, Ted Unangst wrote: Sorry, I think adding an option is too much. I just committed halex's original diff to only change the type. I thought he was going to do that by now. Hi Ted, The thing is, my patch doesn't do the same thing at all as the one which adds auth-doas.

Re: [PATCH] doas authentication type

On Thu, Aug 27, 2015 at 1:09 PM Theo de Raadt dera...@cvs.openbsd.org wrote: Sorry, I think adding an option is too much. I just committed halex's o= riginal diff to only change the type. I thought he was going to do that by now.= Hi Ted, The thing is, my patch doesn't do

Re: [PATCH] doas authentication type

How many users of that functionality will there be? We only need to concern ourselves with the cost; you have to justify the benefit. How many people were doing this with sudo, and how many will need this with doas? My current model is to use my yubikey when sudo'ing. Occasionally

Re: [PATCH] doas authentication type

Renaud Allard wrote: On 27/08/15 18:32, Ted Unangst wrote: Sorry, I think adding an option is too much. I just committed halex's original diff to only change the type. I thought he was going to do that by now. Hi Ted, The thing is, my patch doesn't do the same thing at all

Re: [PATCH] doas authentication type

On 27/08/15 21:18, Ted Unangst wrote: Renaud Allard wrote: I understand the difference, but we are opposed to adding new options unless a majority of users are expected to use them. OK, I can understand. However, it doesn't do anything normal auth can't do, except giving the user a choice

Re: [PATCH] doas authentication type

On August 27, 2015 6:32:31 PM GMT+02:00, Ted Unangst t...@tedunangst.com wrote: Renaud Allard wrote: On 08/26/2015 06:39 PM, Michael Reed wrote: Hi Renauld, On 08/26/15 09:38, Renaud Allard wrote: I rewrote a little bit the patch to remove a small kind-of typo in the manpage and remove

Re: [PATCH] doas authentication type

On 08/26/2015 06:39 PM, Michael Reed wrote: Hi Renauld, On 08/26/15 09:38, Renaud Allard wrote: I rewrote a little bit the patch to remove a small kind-of typo in the manpage and remove too long lines. So with this patch, you add the user the right to choose the authentication style and

Re: [PATCH] doas authentication type

Hi Renauld, On 08/26/15 09:38, Renaud Allard wrote: I rewrote a little bit the patch to remove a small kind-of typo in the manpage and remove too long lines. So with this patch, you add the user the right to choose the authentication style and administratively, in login.conf, you can

Re: [PATCH] doas authentication type

I rewrote a little bit the patch to remove a small kind-of typo in the manpage and remove too long lines. So with this patch, you add the user the right to choose the authentication style and administratively, in login.conf, you can restrict it. Any comments? OK? Index: doas.1