Renaud Allard wrote: > > > On 27/08/15 18:32, Ted Unangst wrote: > > > > > Sorry, I think adding an option is too much. I just committed halex's > > original > > diff to only change the type. I thought he was going to do that by now. > > > > Hi Ted, > > The thing is, my patch doesn't do the same thing at all as the one which > adds auth-doas. My patch lets the user choose which authentication he > wants, while the other patch lets the admin restrict which auth is used.
I understand the difference, but we are opposed to adding new options unless a majority of users are expected to use them. > - My patch with the option lets the user choose. The example would be a > server with an encrypted home directory. When everything is working > correctly, the user can login with, for example, a ssh key and then use > doas with a (non yubi) password. But if the server has crashed for > whatever reason and /home is not mounted, the only way to login would be > with the yubikey because the ssh key is not available and remote login > with normal passwords is disabled. The option replicates how sudo was > working. Something about this doesn't make sense. If you can't login because your ssh key is gone, there's nothing doas will help you with.
