Re: [openstack-dev] [Keystone] Multi-factor Auth with Keystone and TOTP

2016-07-18 Thread Steve Martinelli
You can create a new ocata directory if one is not present On Jul 18, 2016 7:24 PM, "Adrian Turjak" wrote: > > > On 19/07/16 03:31, Steve Martinelli wrote: > > I think the change you posted could very much just > > replace the existing password plugin in keystone ( > >

Re: [openstack-dev] [Keystone] Multi-factor Auth with Keystone and TOTP

2016-07-18 Thread Adrian Turjak
On 19/07/16 03:31, Steve Martinelli wrote: > I think the change you posted could very much just > replace the existing password plugin in keystone ( > https://review.openstack.org/#/c/343422/) and not be it's own plugin. > > How about a specification instead? >

Re: [openstack-dev] [Keystone] Multi-factor Auth with Keystone and TOTP

2016-07-18 Thread Adrian Turjak
On 19/07/16 01:49, David Stanek wrote: > On Mon, Jul 18, 2016 at 9:13 AM, Adrian Turjak > wrote: >> We need an MFA solution, and this doesn't seem like too terrible an option. > > > One thing to note here is that the credentials for TOTP stored in the > keystone

Re: [openstack-dev] [Keystone] Multi-factor Auth with Keystone and TOTP

2016-07-18 Thread Steve Martinelli
More comments inline. On Mon, Jul 18, 2016 at 9:13 AM, Adrian Turjak wrote: > Ok. So it sounds like I'm not entirely off track and this will probably be > the road we go down for our deployment until we have a better option. We > need an MFA solution, and this doesn't

Re: [openstack-dev] [Keystone] Multi-factor Auth with Keystone and TOTP

2016-07-18 Thread David Stanek
On Mon, Jul 18, 2016 at 9:13 AM, Adrian Turjak wrote: > We need an MFA solution, and this doesn't seem like too terrible an option. One thing to note here is that the credentials for TOTP stored in the keystone credentials backend are not encrypted. So a breach of your

Re: [openstack-dev] [Keystone] Multi-factor Auth with Keystone and TOTP

2016-07-18 Thread Adrian Turjak
Ok. So it sounds like I'm not entirely off track and this will probably be the road we go down for our deployment until we have a better option. We need an MFA solution, and this doesn't seem like too terrible an option. Basically after a bunch of digging this was the only solution I found that

Re: [openstack-dev] [Keystone] Multi-factor Auth with Keystone and TOTP

2016-07-18 Thread Morgan Fainberg
On Sun, Jul 17, 2016 at 10:37 PM, Steve Martinelli wrote: > Several comments inline > > On Mon, Jul 18, 2016 at 12:20 AM, Adrian Turjak > wrote: > >> Hello, >> >> I've been looking at options for doing multi-factor auth (MFA) on our >>

Re: [openstack-dev] [Keystone] Multi-factor Auth with Keystone and TOTP

2016-07-17 Thread Steve Martinelli
Several comments inline On Mon, Jul 18, 2016 at 12:20 AM, Adrian Turjak wrote: > Hello, > > I've been looking at options for doing multi-factor auth (MFA) on our > infrastructure and I'm just wanting to know if the option I've decided > to go with seems sensible. > > As

[openstack-dev] [Keystone] Multi-factor Auth with Keystone and TOTP

2016-07-17 Thread Adrian Turjak
Hello, I've been looking at options for doing multi-factor auth (MFA) on our infrastructure and I'm just wanting to know if the option I've decided to go with seems sensible. As context, we are running stock Keystone (to be backed by LDAP), we wanted to be able to enable MFA on a per user basis,