Ty Sarna writes:
>With these patches you can enter "s/key" at a {su,login} Password:
>prompt and then be prompted for a s/key one-time password, or if you're
>on a secure login you can just enter your regular password.

I don't think this is the right way to do things.  Why not just have
/bin/login prompt for an s/key if you have one, and likewise for su?

Actually, why keep the old NetBSD /bin/login hanging around, s/key patches or
no?  Wietse's login package which comes with s/key is much nicer and has meny
new security features, like a login.access file.

Besides which, two of us here has been over the code with a nervous eye to
security; it's a bit longer than the old /bin/login but it is most assuredly
clean.
 
>I'd be willing to do a port of s/key to NetBSD for proper integration if
>the core team is agreeable...  I think that would be a Really Really

I have a fully working (except that I told it that netbsd used the wrong kind
of rlogind) port of s/key 1.1b, plus a few local enhancements, for 0.9 or
-current.  Gimme a day or so to clean it up if you want it, and everyone's
more than welcome.

>Good Thing, what with the recent spate of password snooping.

I still really, really hope that access to the master -current tree is
controlled by one-time passwords somehow.  I still don't know if it is or not,
but when it's so _easy_ to install and run s/key, I can't see any reason why
everyone in the known universe oughtn't be using it -- operating system
developers in particular.

------------------------------------------------------------------------------