No subject

Sven-Göran Bergh svengbergh-busybox at yahoo.com
Tue May 8 06:59:14 UTC 2012


Hi,

>>>   2) Would it be possible to leave the 2:nd channel (delivery of the 
> pin)
>>>   to a separate user supplied script? In that case it would be simple 
> for
>>>   the admin to setup the delivery as desired by eg. a simple shell 
> script,
>>>   SMS, HTTP(S), netcat magic, SMTP, etc.? This would be a very simple,
>>>   and yet flexible and powerful approach.
>> 
>>  It is an excellent idea to give flexibility.
>> 
>>  It should be possible to define which application will be run to
>>  present the pin to the user -  possibily in the same file where the
>>  shared secrets are stored, so that each user can have its own delivery
>>  (email for someone, web-sms gateway for someone else, etc.).
>> 
>>  Example : /etc/otp
>>  $USER:$SHAREDSECRET:$DELIVERY
>> 
>>  $DELIVERY would simply be the path to a script, with say $1 as the pin
>>  to deliver and $2 as the user to deliver it to to offer flexibility.
> 
> Seems like a good, simple and flexible "interface" between the core 
> OTP
> and the delivery script/app.
> 
>>  The file would be optional (if delivery is not defined, simply display
>>  the pin within login by default) - along with a default shared secret,
>>  randomly generated at compile-time .
> 
> The default may also apply if the user is not found in the file.

Some thoughts on the defaults:

1) OTP should not be enabled by default in bb. It should require an
active config, like CONFIG_FEATURE_LOGIN_OTP. (I guess all agree on
this one)

2) Even when compiled with OTP I think it should be easy to disable
OTP for some users. Some examples:

    # cat /etc/otp
    $UID1:$SHAREDSECRET:$DELIVERY
    $UID2:$SHAREDSECRET:

   a) $UID1 will get the PIN delivered by the configured $DELIVERY.
   b) $UID2 will get the PIN within login (the default).
   c) $UID3 will not benefit from OTP at all (not present in /etc/otp).

3) When compiled with OTP, default for the special case with no
/etc/otp could be argued, but here are my 2 cents:
   a) No /etc/opt => enable the default for all users (PIN in login)
   b) Empty /etc/otp => OTP disabled for all users (consistent with 2)

/Sven



More information about the busybox mailing list