[Freeipa-devel] OTP CLI Proposal

Petr Viktorin pviktori at redhat.com
Mon Jul 29 08:20:13 UTC 2013 

On 07/27/2013 01:55 AM, Dmitri Pal wrote:
> On 07/26/2013 12:01 PM, Nathaniel McCallum wrote:
>> I have added a proposal for an authentication management CLI to the wiki. It currently includes the ability to manage authentication methods, RADIUS servers and OTP tokens. Please review!
>>
>> http://www.freeipa.org/page/V3/OTP#CLI
>>
>> Nathaniel
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
> May be use auth-policy instead of auth?
>
> "These commands may be run by the admin or by the user. When run by a
> user, the user should only be able to view, search or modify their own
> tokens. Admins, however, may perform any action on any user's tokens. "
> User probably should not be able to modify everything at least in future
> there should be a way to prevent user from modifying his token and any
> attribute. IMO it is a policy decision per deployment. Need more thought
> in future. Probably fine as is for now. Please note that though. May be
> worth a separate RFE ticket.
> Again for now probably admins should be able to modify any token however
> in future we probably want to be able to reduce it only to admins that
> have a specific role. For example out of 10 admins for IPA only 2 that
> have token management responsibilities should be able to manage tokens.
>
> The use of the command line arguments is close to our current CLI but
> might not 100% comply to all rules. But this part is way beyond my
> understanding however our CLI gurus should probably review and chime.

I'm not aware of any formal rules, but to be more consistent with the 
rest of the CLI:
There should be auth-show and auth-find to query the information.

For better or worse, `auth` should use a --method argument that sets the 
named methods and clears any others:

     auth-mod [--user=LOGIN] [--method=method]

e.g. `auth-mod --method=m1 --method=m2` would add methods m1 and m2 and 
remove all others.
The plan is to add options like `--add-method` & `--del-method` later 
(see https://fedorahosted.org/freeipa/ticket/3054).

I'd also think about `auth-mod [--user=LOGIN | --global]`, i.e. 
requiring an explicit flag for modifying the global settings (without 
either --user or --global, the command would prompt interactively).


The radius-link command looks overloaded, IPA generally splits 
functionality into several commands:

     radius-link-add LOGIN [--cn=CN] [--username=STR]
     radius-link-mod LOGIN [--cn=CN] [--username=STR]
     radius-link-show LOGIN
     radius-link-find ...
     radius-link-del LOGIN

Also, we use lowercase option names; otp-{add,find,mod,export} should 
use `--not-before` & `--not-after`.


> What is the ID for the token in the otp-mod or otp-del command ? It is
> usually serial number. Do you have something else in mind?
>
> You are missing the concept of show command for link and otp. Show
> command shows current values of the specific entry while 'find' helps
> you to find the entry.
>
> Why base32 encoding for the random data and base 64? What should be the
> lenght limitations for the data to type in and be accepted? Are we going
> to reject data with low entropy?
>
>
> What is the use case for export? Does it dump the key in clear? Is this
> a security risk?
>
> Can you please fix the formatting so that the commands are more readable?
>


-- 
Petr³

More information about the Freeipa-devel mailing list