No subject
Sven-Göran Bergh
svengbergh-busybox at yahoo.com
Tue May 8 06:59:14 UTC 2012
Hi,
>>> 2) Would it be possible to leave the 2:nd channel (delivery of the
> pin)
>>> to a separate user supplied script? In that case it would be simple
> for
>>> the admin to setup the delivery as desired by eg. a simple shell
> script,
>>> SMS, HTTP(S), netcat magic, SMTP, etc.? This would be a very simple,
>>> and yet flexible and powerful approach.
>>
>> It is an excellent idea to give flexibility.
>>
>> It should be possible to define which application will be run to
>> present the pin to the user - possibily in the same file where the
>> shared secrets are stored, so that each user can have its own delivery
>> (email for someone, web-sms gateway for someone else, etc.).
>>
>> Example : /etc/otp
>> $USER:$SHAREDSECRET:$DELIVERY
>>
>> $DELIVERY would simply be the path to a script, with say $1 as the pin
>> to deliver and $2 as the user to deliver it to to offer flexibility.
>
> Seems like a good, simple and flexible "interface" between the core
> OTP
> and the delivery script/app.
>
>> The file would be optional (if delivery is not defined, simply display
>> the pin within login by default) - along with a default shared secret,
>> randomly generated at compile-time .
>
> The default may also apply if the user is not found in the file.
Some thoughts on the defaults:
1) OTP should not be enabled by default in bb. It should require an
active config, like CONFIG_FEATURE_LOGIN_OTP. (I guess all agree on
this one)
2) Even when compiled with OTP I think it should be easy to disable
OTP for some users. Some examples:
# cat /etc/otp
$UID1:$SHAREDSECRET:$DELIVERY
$UID2:$SHAREDSECRET:
a) $UID1 will get the PIN delivered by the configured $DELIVERY.
b) $UID2 will get the PIN within login (the default).
c) $UID3 will not benefit from OTP at all (not present in /etc/otp).
3) When compiled with OTP, default for the special case with no
/etc/otp could be argued, but here are my 2 cents:
a) No /etc/opt => enable the default for all users (PIN in login)
b) Empty /etc/otp => OTP disabled for all users (consistent with 2)
/Sven
More information about the busybox
mailing list