On Tue, Oct 18, 2011 at 12:35:52AM -0400, seth vidal wrote: > On Mon, 2011-10-17 at 16:54 -0600, Kevin Fenzi wrote: > > So, there's a lot of data here and info to process. ;) > > > > Some things (in no particular order): > > > > I think we have the following groups to consider: > > > > 1. Sysadmin-main folks who can sudo and login to everything. > > (small. ~10-20) > > 2. Sysadmin* folks who can login to some things and sudo on some things > > (a number of small groups, total ~120ish ). > > 3. packagers ( larger group, ~1100 ish). > > 4. cla+1group, fedorapeople, etc (larger yet, ~2500). > > 5. web application users (testers, election voters, account sys, > > mirrormanager). ( larger group still) > > > > I think the amount of hassle people will put up with increases as we go > > down the list, but also the amount of sensitive access decreases. I'm > > not sure we will have much luck pushing things down past the first few > > groups unless we make it VERY easy to use and manage and make sure > > there are no costs. > > I agree with that assessment except I think you meant 'decreases' not > increases in the first clause of your paragraph above. > > > > > Does the yubikey OATH mode work with linotp/googleauth? > > From what I can see it should. So, perhaps we can support both? > > I think it should be possible - it will require some effort. Also it > will increase the complexity of what we have to support. > Note that yubikey supports HOTP wheras google-authenticator is doing TOTP. That may make these a bit less generic than just plugging them both in. However, if we're coding the backend authenticator, then we probably can make it process both types. -Toshio
Attachment:
pgpqAGH0ero2j.pgp
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
