Mailing List Archive

Tue, Feb 20, 2018 at 09:34:32PM +0000, Wayne Eisenberg:
> I did some searching, and I'm pretty sure I already know the answer, but has anyone had any success with rancid and 2-factor authentication such as OKTA (time-based OTP)?
>
> Any workarounds?

how would it work? I'm probably being dense on the subject, but it seems
like an obstacle to automation. Happy to receive a cluebyfour.

it seems that such security goals can be achieved by aaa authorization
(ie: read-only) and password expiration in aaa authentication.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

I believe you are correct. It happens when certain people insist on a policy that requires the only way to connect is via 2-factor and don't make any accommodation for things like this or the need to be able to script a large rollout of a change, etc.

Thanks.

-----Original Message-----
From: heasley [mailto:heas@shrubbery.net]
Sent: Tuesday, February 20, 2018 5:25 PM
To: Wayne Eisenberg
Cc: 'rancid-discuss@shrubbery.net'
Subject: Re: [rancid] OTP/2-factor authentication

Tue, Feb 20, 2018 at 09:34:32PM +0000, Wayne Eisenberg:
> I did some searching, and I'm pretty sure I already know the answer, but has anyone had any success with rancid and 2-factor authentication such as OKTA (time-based OTP)?
>
> Any workarounds?

how would it work? I'm probably being dense on the subject, but it seems like an obstacle to automation. Happy to receive a cluebyfour.

it seems that such security goals can be achieved by aaa authorization
(ie: read-only) and password expiration in aaa authentication.


________________________________

The information in this Internet e-mail (and any attachments) is confidential, may be legally privileged and is intended solely for the Addressee(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, then any dissemination or copying of this e-mail (and any attachments) is prohibited and may be unlawful. If you received this e-mail in error, please immediately notify us by e-mail or telephone, then delete the message. Thank you.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Wed, Feb 21, 2018 at 08:27:14PM +0000, Wayne Eisenberg:
> I believe you are correct. It happens when certain people insist on a policy that requires the only way to connect is via 2-factor and don't make any accommodation for things like this or the need to be able to script a large rollout of a change, etc.
>
> Thanks.

ie: management

a thought is that an oauth2-like system might work - but thats just another
form of password expiration.

> -----Original Message-----
> From: heasley [mailto:heas@shrubbery.net]
> Sent: Tuesday, February 20, 2018 5:25 PM
> To: Wayne Eisenberg
> Cc: 'rancid-discuss@shrubbery.net'
> Subject: Re: [rancid] OTP/2-factor authentication
>
> Tue, Feb 20, 2018 at 09:34:32PM +0000, Wayne Eisenberg:
> > I did some searching, and I'm pretty sure I already know the answer, but has anyone had any success with rancid and 2-factor authentication such as OKTA (time-based OTP)?
> >
> > Any workarounds?
>
> how would it work? I'm probably being dense on the subject, but it seems like an obstacle to automation. Happy to receive a cluebyfour.
>
> it seems that such security goals can be achieved by aaa authorization
> (ie: read-only) and password expiration in aaa authentication.
>
>
> ________________________________
>
> The information in this Internet e-mail (and any attachments) is confidential, may be legally privileged and is intended solely for the Addressee(s) named above. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, then any dissemination or copying of this e-mail (and any attachments) is prohibited and may be unlawful. If you received this e-mail in error, please immediately notify us by e-mail or telephone, then delete the message. Thank you.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

'heasley' wrote:
> Wed, Feb 21, 2018 at 08:27:14PM +0000, Wayne Eisenberg:
>> I believe you are correct. It happens when certain people insist on a policy that requires the only way to connect is via 2-factor and don't make any accommodation for things like this or the need to be able to script a large rollout of a change, etc.
>>
>> Thanks.
>
> ie: management
>
> a thought is that an oauth2-like system might work - but thats just another
> form of password expiration.

I've seen companies get around some of this by requiring the 2-factor to
get into a bastion host where the scripts are run from (and/or rancid).
Not ideal but a work-around.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss