#11828: Look into using one-time-passwords as secondary authentication method for baron -------------------------+---------------------------- Reporter: zooey | Owner: haiku-sysadmin Type: task | Status: new Priority: normal | Milestone: Component: Sys-Admin | Version: Resolution: | Keywords: Blocked By: | Blocking: Has a Patch: 0 | Platform: All -------------------------+---------------------------- Comment (by Centinel): Since sudo provides a subset of {{{su -l}}}'s functionality, it seems ineffective to limit a part and not the whole. Then again, I'm not a security expert, so take that as a layman's opinion. It's really a matter of security versus convenience. If you wanted to focus on security, you could leave OpenSUSE's default sudo behavior in place and create an OTP seed specific to the root user. That way, users who wanted to {{{sudo}}} or {{{su -l}}} would be required to enter an OTP specific to the root account. It obviously wouldn't make sudo as secure as requiring user passwords and user-specific OTPs, but it would plug the security hole coming from su -l unprotected. On the other hand, I am compelled to admit that restricting sudo is better than nothing. -- Ticket URL: <https://dev.haiku-os.org/ticket/11828#comment:24> Haiku <https://dev.haiku-os.org> Haiku - the operating system.