That makes sense and I'll pencil that in. I actually have long thought we should add pam support to xcat sessions as well, but hadn't gotten around to it.
I might still be tempted to do an external TOTP implementation in addition to pam because: -Could recognize 'users' without requiring mapping them to the system auth table (though perhaps requiring a pam user per client wouldn't be so bad) -Not completely pleased with google authenticator pam. No centralized tracking of OTP usage, secret stored in the clear. -totp-cgi+pam_url might be better, but afaict, they must prompt independently for passphrase and totp (i.e. being unable to do somethingthing like 'forward_pass'.) -I derive perverse enjoyment from implementing RFCs from scratch. Of course, this could still all be a pipe dream, but it's something I've long itched to do. From: "Daniel M. Weeks" <[email protected]> To: xCAT Users Mailing list <[email protected]> Date: 07/01/2013 11:51 AM Subject: Re: [xcat-user] conserver replacement On 06/30/2013 01:38 PM, Jarrod Johnson wrote: > I'm contemplating a conserver replacement. There is sufficient > functionality I want to add and conserver is a tad inconvenient. > > For authentication, aside from SSL client certs, would support > user/password auth with admin having the option to addiotnally require > TOTP (TOTP support would have the secret encrypted using user password > as key). The TOTP algorithm would be interoperable with the Google > Authenticator mobile app. > TOTP can already be used in conserver if PAM is enabled and I would hightly recommend sticking with this functionality (via PAM) instead of re-implementing it. Not only does it remove the complexity and work of securely implementing TOTP, it also allows other PAM modules to be used. (Kerberos would be nice if someone is opening a ton of consoles at once.) -- Daniel M. Weeks Systems Programmer Computational Center for Nanotechnology Innovations Rensselaer Polytechnic Institute Troy, NY 12180 518-276-4458 ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
<<inline: graycol.gif>>
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ xCAT-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/xcat-user
