When bug 1283 is solved, we will have reduced our three authentications to just two. It would be nice if we could take the final step and get down to just a single authentication. This has a number of benefits:
- Client doesn't have to cache any information (passphrase, second reply, more things in the future)
- Backend systems that count logins will work. (e.g. grace logins in eDirectory)
- No need for a token caching server when using OTP
- Smart card readers with pin pad won't have to ask for the pin twice.
To solve this we have to make the agent check with the server if the user is authenticated somehow. One solution is to have the vsmserver give the client a temporary password to be used on the agent. The agent could then be set up to talk to a RADIUS server inside vsmagent.
A BSD licensed Python RADIUS server can be found here:
To clarify, the RADIUS server would be in vsmserver and the client would be pam_radius on the agents.
This is causing problems again with OTP setups. Specifically, Nordic Edge has a hack for ThinLinc but it only works for OTP:s generated by their server, not things like OATH (Yubikey). Disabled the OTP caching in the client for this customer so things can work (although they have to enter two OTPs).
Duplicate of bug 1771?
Duplicate of bug 121?
*** Bug 121 has been marked as a duplicate of this bug. ***
*** Bug 1771 has been marked as a duplicate of this bug. ***
This also causes problems when using smart cards with pin pads, as we cannot cache the pin there and hide the second input from the user. See bug 3349.
Another option could perhaps be to issue a temporary SSH key for the client to use in the second step. There are various restrictions that could be placed on the key, most prominently "expiry-time". We could also use the "AuthorizedKeysCommand" setting if we want to avoid having to manipulate users' authorized_keys files.
Actually, you can specify multiple authorized_keys. So we could also solve it by having a second one in some protected directory.