On Jun 6, 2007, at 4:38 PM, Nicolas Williams wrote: > On Wed, Jun 06, 2007 at 04:32:09PM -0700, Henry B. Hotz wrote: >> On Jun 6, 2007, at 12:58 PM, Nicolas Williams wrote: >>> I was thinking of pam_otp. >> >> Ah! Very interesting point. >> >> I guess we're in violent agreement about the problem, but I guess an > > We've converged :) > > But you see the problem, surely. To do what you want you'd need to > spec > out: > > - a new OTP > - an SSHv2 userauth method > - a SASL/GSS-API mechanism > - an EAP method > - a Kerberos V pre-auth > > And get some/all of that implemented, and new tokens manufactured and > deployed. By the time you've done the bare minimum the world will > have > passed OTPs by -- we'll all be using smartcards embedded in our brains > by then.
Given ubiquitous card readers and PKINIT support my only use for OTP is to support legacy stuff. Something that works with Solaris 9-10 kinit and an LDAP server plugin is sufficient. (Yes, I know those requirements aren't directly congruent to what I said earlier.) Tangent: is there a Kerberos or GSSAPI EAP method? ------------------------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
