On 2015/11/24 11:24, Richard Johnson wrote: > We use 2-factor authn for sudo & doas, as well as for most logins. > Presently, we transport Yubikey and other HOTP strings across RADIUS to an > otpd authserver
Interesting...is that a fork of the TRI-D otpd? I found the googlecode one and a github export but nothing that seems currently active and nothing that supports Yubikey. (I'm on the lookout for things which handles central Yubikey auth, none of the programs that I've found so far are very appealing). > This is on systems with 1200+ user accounts, about 30 active daily. Users > expect that if they can log in as username:radius or username:skey, they > should be able to sudo -a radius or sudo -a skey. > > Moving away from Kerberos means possible increasing use of sudo or doas by > regular users to run transfer commands to data archives. For this, it would > be useful if doas supported "-a skey". Then I could just use doas; the > command is otherwise plain enough. > > But that's not a lot of users across the entire OpenBSD installed base. > > Installing sudo from ports is still an option. I need to debug the -a > failure there now. ;) > > > Richard > Personally my take on this is that as long as it's just done as -a then it's small and simple to implement (pass a string from args to auth_userokay), and there's no other way to provide access to this which is an important, though lesser-known, part of bsd_auth. We already trust auth_userokay with network-supplied strings for this (e.g. as part of the username from ssh) so this doesn't seem to add any real exposure risk.
