[Freeipa-devel] OTP Design
Petr Spacek
pspacek at redhat.com
Thu Jan 31 09:34:41 UTC 2013
On 30.1.2013 05:35, Dmitri Pal wrote:
> Hello,
>
> We started to shape a page for the OTP prototyping work we are doing.
> It is work in progress but it has enough information to share and discuss.
> http://freeipa.org/page/V3/OTP
>
> Comments welcome!
I gave it a quick look. Generally, the core seems correct to me. I have only
nitpicks:
I see big amount of new ipa* specific attributes.
How other OTP solutions store tokens/configuration? Is there any
standard/semi-standard LDAP schema with attributes describing tokens?
MIT KDC has own ("native") LDAP driver. It would be nice to coordinate OID
allocation and schema definition with MIT and share as much attributes as
possible. Do they plan to support OTP configuration in LDAP? (I don't see any
note about LDAP support in
http://k5wiki.kerberos.org/wiki/Projects/OTPOverRADIUS .)
Is the author of
https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication
aware of our effort?
What about re-using http://www.dynalogin.org/ server for TOTP/HOTP
implementation (rather than writing own OTP-in-389 implementation)? I haven't
looked to the dynalogin code ...
Could be (old) draft "SASL and GSS-API Mechanism for Two Factor Authentication
based on a Password and a One-Time Password (OTP): CROTP" from
http://tools.ietf.org/html/draft-josefsson-kitten-crotp-00 interesting for us
(in future)? Is it worth to resurrect this effort?
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list