On Fri, Jul 24, 2015 at 10:27 AM, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > On Fri, Jul 24, 2015 at 09:40:53AM -0600, Chris Murphy wrote: >> > would it be reasonable to expect the sort of user that wants to use >> > SSH to be able to set that up? >> No. PKA is an esoteric skill, and you're confused by thinking it's a >> basic one. > > We could set up two-factor authentication with FreeOTP. > Have the dialog provide a QR code for > > a) https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=en > https://itunes.apple.com/us/app/freeotp-authenticator/id872559395?mt=8 > > and then also a token. Leave the users' password as six letters or > whatever, but also require this for SSH. > > Still a little esoteric, but provisioning is easier, and people are > getting more used to it in general, hopefully. And as a bonus, this > jumps us up to level 3 identity assurance, I believe. OK, but still not by default. Not everyone has a smart phone. And mine runs into this FreeOTP bug: https://fedorahosted.org/freeotp/ticket/52 This stuff has to be opt in, not opt out. Chris Murphy -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
