On 12/04/13 07:56, Thomas Goirand wrote: > On 04/12/2013 03:25 AM, Tollef Fog Heen wrote: >> The Yubikey neo can run the java applet thingies, it seems, so it can >> act as a GPG token too. > Please, please, please ... no java!!! > That's a security nightmare. I think we'd be less safe with > than without it. > > Also, while I think the idea is nice, and that it would be a nice > thing to *propose* it to all DDs, I think it would be annoying > to actually *require* 2 factors auth from DDs (especially with > the ssh keys on Alioth). >
There was never any suggestion to make something mandatory, I actually agree with those concerns Given the nature of Debian, it would be a personalised solution So, if a DD regularly accesses Debian infrastructure from a PC that he does not control (e.g. a work PC) he can choose to use TOTP instead of a password. A DD who always uses a personal laptop may prefer to use an ssh key. It is all about choice. With the right tools, DDs would have these choices each time they log in, or any one person can choose to make *OTP mandatory for their own login. So any potential GSoC project may involve making tools that allow DDs to set this up, the way they want, quickly - but only if they want it. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5167a297.4090...@pocock.com.au