[Freeipa-devel] [PATCH 0058] Add the otptoken-add-yubikey command
Nathaniel McCallum
npmccallum at redhat.com
Mon Jun 23 13:29:58 UTC 2014
On Mon, 2014-06-23 at 09:42 +0200, Martin Kosek wrote:
> On 06/23/2014 09:29 AM, Alexander Bokovoy wrote:
> > On Fri, 20 Jun 2014, Nathaniel McCallum wrote:
> >> On Thu, 2014-06-19 at 16:30 -0400, Nathaniel McCallum wrote:
> >>> This command behaves almost exactly like otptoken-add except:
> >>> 1. The new token data is written directly to a YubiKey
> >>> 2. The vendor/model/serial fields are populated from the YubiKey
> >>>
> >>> === NOTE ===
> >>> 1. This patch depends on the new Fedora package: python-yubico. If you
> >>> would like to help with the package review, please assign yourself here:
> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1111334
> >>
> >> New version of the patch. This one works (yay!).
> >>
> >> 1. Because of the dependency on python-yubico, is this feature something
> >> we want in core FreeIPA? As a subpackage? Separate project altogether?
> >> The only dependency for python-yubico is pyusb.
> > I'd prefer to have it integrated but have a separate dummy subpackage
> > that pulls in all required dependencies, like, freeipa-tools-yubico. Instead of
> > failing when 'ipa otptoken-add-yubikey' is called, please wrap the
> > python-yubico import into a code that allows reporting a message back to
> > the user advising to install the package.
>
> +1. For 4.0, I would just fail cleanly and keep functioning if python-yubico is
> not configured, just like in Alexander's trust example.
>
> For 4.2, we plan to introduce subpackages
> (https://fedorahosted.org/freeipa/ticket/4058). This is the right time and
> place to introduce something like "freeipa-server-otp" which would contain the
> files and requirements for OTP. It would also give is time to get it to
> standard Fedora repositories if we want this functionality by default.
python-yubico is already in F21 (as of yesterday). So, unless there is
some other reason that matters, we can probably just add a hard
dependency for now. Is that acceptable?
Nathaniel
More information about the Freeipa-devel
mailing list