Hi, all:
I released a new version of totpcgi today, which adds support for token reprovisioning. It's a most commonly requested feature and supports issuing a new token if you still have access to either your old device, or to the scratch codes.
I've only really tested it with file-based backend, and since I know Fedora uses db-based backend, it would be good to test it out, too. I just completed "fedpkg update" for it, so it should be showing up in epel-testing soon.
I'll be happy to answer any questions or help troubleshoot anything. There are no changes to the core totp cgi that should affect the custom ubikey stuff we put in last year, but buyer beware and test! :)
Best,
On Fri, 20 Sep 2013 15:21:31 -0400 Konstantin Ryabitsev icon@fedoraproject.org wrote:
Hi, all:
I released a new version of totpcgi today, which adds support for token reprovisioning. It's a most commonly requested feature and supports issuing a new token if you still have access to either your old device, or to the scratch codes.
Cool.
Is it configurable to enable? Or just always enabled?
I've only really tested it with file-based backend, and since I know Fedora uses db-based backend, it would be good to test it out, too. I just completed "fedpkg update" for it, so it should be showing up in epel-testing soon.
I'll be happy to answer any questions or help troubleshoot anything. There are no changes to the core totp cgi that should affect the custom ubikey stuff we put in last year, but buyer beware and test! :)
ok. We can test in stg soon. Thanks for the heads up.
kevin
On Mon, Sep 23, 2013 at 12:01 PM, Kevin Fenzi kevin@scrye.com wrote:
I released a new version of totpcgi today, which adds support for token reprovisioning. It's a most commonly requested feature and supports issuing a new token if you still have access to either your old device, or to the scratch codes.
Cool.
Is it configurable to enable? Or just always enabled?
It's always enabled. Since it requires having the old device in possession in order to re-issue the token, it should be pretty safe and removes the admin's involvement for things like switching devices (which happens all the time).
Best,
infrastructure@lists.fedoraproject.org
-
Kevin Fenzi -
Konstantin Ryabitsev