On 07/08/2015 07:37 AM, Simo Sorce wrote:
On Wed, 2015-07-08 at 13:24 +0200, Michael Ströder wrote:
> Sumit Bose wrote:
>> On Tue, Jul 07, 2015 at 01:54:12PM +0200, Michael Ströder wrote:
>>> Was this tested in scenarios when using clusterssh or similar?
>> No, I'm not sure how clusterssh should work with OTP at all.
> I plan to implement short-time HOTP validation caching (few seconds).
That defeats the point of using an OTP ...
> Also with TOTP requests with the same OTP can be validated within a certain
> time-frame.
Only on non-compliant servers, in theory servers should track if a TOTP
has been used and refuse a second authentication with the same code. In
practice this may not be enforced in some implementations.
Simo.
Logging to a farm with OTP is a problem old as OTP itself.
Kerberos SSO is the way to go in this case.
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.