So, there's a lot of data here and info to process. ;) Some things (in no particular order): I think we have the following groups to consider: 1. Sysadmin-main folks who can sudo and login to everything. (small. ~10-20) 2. Sysadmin* folks who can login to some things and sudo on some things (a number of small groups, total ~120ish ). 3. packagers ( larger group, ~1100 ish). 4. cla+1group, fedorapeople, etc (larger yet, ~2500). 5. web application users (testers, election voters, account sys, mirrormanager). ( larger group still) I think the amount of hassle people will put up with increases as we go down the list, but also the amount of sensitive access decreases. I'm not sure we will have much luck pushing things down past the first few groups unless we make it VERY easy to use and manage and make sure there are no costs. I think some groups will see advantages in yubikey and others in a smartphone app. If you already have a smartphone it's natural to want to just keep using that. If you don't you may be interested in the more modest cost of the yubikey, etc. Does the yubikey OATH mode work with linotp/googleauth? From what I can see it should. So, perhaps we can support both? I'm a bit leary of linotp having a 'community' and 'enterprise' edition, and some of the features in the enterprise we would need to re-implement. Also, it's not packaged at all yet that I can see. On the other hand google-authenticator doesn't have any server ability yet. ;( I did notice this stalled review: https://bugzilla.redhat.com/show_bug.cgi?id=538327 for otpd that might be worth looking at. Ideally, I'd love to see a solution like the duo-security one, but of course opensource and where we run all the parts of it (not a 3rd party). I sure wonder if other open source groups would be interested in getting something together, since I think a lot of them have similar groups to handle. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
