[Freeipa-devel] OTP CLI Proposal

Dmitri Pal dpal at redhat.com
Fri Jul 26 23:55:07 UTC 2013 

On 07/26/2013 12:01 PM, Nathaniel McCallum wrote:
> I have added a proposal for an authentication management CLI to the wiki. It currently includes the ability to manage authentication methods, RADIUS servers and OTP tokens. Please review!
>
> http://www.freeipa.org/page/V3/OTP#CLI
>
> Nathaniel
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

May be use auth-policy instead of auth?

"These commands may be run by the admin or by the user. When run by a
user, the user should only be able to view, search or modify their own
tokens. Admins, however, may perform any action on any user's tokens. "
User probably should not be able to modify everything at least in future
there should be a way to prevent user from modifying his token and any
attribute. IMO it is a policy decision per deployment. Need more thought
in future. Probably fine as is for now. Please note that though. May be
worth a separate RFE ticket.
Again for now probably admins should be able to modify any token however
in future we probably want to be able to reduce it only to admins that
have a specific role. For example out of 10 admins for IPA only 2 that
have token management responsibilities should be able to manage tokens.

The use of the command line arguments is close to our current CLI but
might not 100% comply to all rules. But this part is way beyond my
understanding however our CLI gurus should probably review and chime.

What is the ID for the token in the otp-mod or otp-del command ? It is
usually serial number. Do you have something else in mind?

You are missing the concept of show command for link and otp. Show
command shows current values of the specific entry while 'find' helps
you to find the entry.

Why base32 encoding for the random data and base 64? What should be the
lenght limitations for the data to type in and be accepted? Are we going
to reject data with low entropy?


What is the use case for export? Does it dump the key in clear? Is this
a security risk?

Can you please fix the formatting so that the commands are more readable?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list