Enroll SSH token and PIN min/max length

Question
#1

Hi,

I’ve created a user policy when enrolling or changing a PIN to have a
minimum length of 6 and maximum length of 12. The policy has:

{ “assign”: true, “auditlog”: true, “delete”: true, “disable”: true,
“enable”: true, “enrollHOTP”: true, “enrollSPASS”: true,
“otp_pin_contents”: “cns”, “otp_pin_maxlength”: “12”,
“otp_pin_minlength”: “6”, “reset”: true, “resync”: true, “setpin”: true,
“unassign”: true, “updateuser”: true }

This is what I want for my Yubikey and OTP-Tokens via FreeOTP etc.

Now I’m deploying SSH keys for my user and I need to enter a PIN with 6
to 12 characters. For SSH keys I don’t see a need to have a PIN. I’ve
tried to create a second user policy, but that policy gives me the
message
There are conflicting opt_pin_minlength definitions!

This is the policy:
{ “enrollSSHKEY”: true, “otp_pin_maxlength”: “0”, “otp_pin_minlength”:
“0” }

An admin user can enroll the SSHkey without a PIN. Is there a way to
achieve that for a regular user too?

Is there a reason to have a PIN on an SSH key?

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

#2

Hi Jochen,

no, there is no reason for a PIN on the ssh key.
The PIN was not removed, since removing the PIN would cost additional
code.

I think there are at least two possibilities:

  1. remove PIN from ssh key.
    A token type might have the flag if it uses a pin or not.
    if it does not use a token, the pin should not be required.

  2. The policy for pin quality could contain the token type.
    I though about adding the token type to policies earlier.
    But this is not always quite clear and simple. In certain cases
    the type of the token is not known. What should happen then…

If you like to, you can add an issue on github.
I think we should start with version 1.

Kind regards
CorneliusAm Mittwoch, den 16.09.2015, 20:52 +0200 schrieb Jochen Hein:

Hi,

I’ve created a user policy when enrolling or changing a PIN to have a
minimum length of 6 and maximum length of 12. The policy has:

{ “assign”: true, “auditlog”: true, “delete”: true, “disable”: true,
“enable”: true, “enrollHOTP”: true, “enrollSPASS”: true,
“otp_pin_contents”: “cns”, “otp_pin_maxlength”: “12”,
“otp_pin_minlength”: “6”, “reset”: true, “resync”: true, “setpin”: true,
“unassign”: true, “updateuser”: true }

This is what I want for my Yubikey and OTP-Tokens via FreeOTP etc.

Now I’m deploying SSH keys for my user and I need to enter a PIN with 6
to 12 characters. For SSH keys I don’t see a need to have a PIN. I’ve
tried to create a second user policy, but that policy gives me the
message
There are conflicting opt_pin_minlength definitions!

This is the policy:
{ “enrollSSHKEY”: true, “otp_pin_maxlength”: “0”, “otp_pin_minlength”:
“0” }

An admin user can enroll the SSHkey without a PIN. Is there a way to
achieve that for a regular user too?

Is there a reason to have a PIN on an SSH key?

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

#3

Hi,

I created an issue for this to be fixed in 2.7

Kind regards
CorneliusAm Mittwoch, den 16.09.2015, 21:59 +0200 schrieb Cornelius Kölbel:

Hi Jochen,

no, there is no reason for a PIN on the ssh key.
The PIN was not removed, since removing the PIN would cost additional
code.

I think there are at least two possibilities:

  1. remove PIN from ssh key.
    A token type might have the flag if it uses a pin or not.
    if it does not use a token, the pin should not be required.

  2. The policy for pin quality could contain the token type.
    I though about adding the token type to policies earlier.
    But this is not always quite clear and simple. In certain cases
    the type of the token is not known. What should happen then…

If you like to, you can add an issue on github.
I think we should start with version 1.

Kind regards
Cornelius

Am Mittwoch, den 16.09.2015, 20:52 +0200 schrieb Jochen Hein:

Hi,

I’ve created a user policy when enrolling or changing a PIN to have a
minimum length of 6 and maximum length of 12. The policy has:

{ “assign”: true, “auditlog”: true, “delete”: true, “disable”: true,
“enable”: true, “enrollHOTP”: true, “enrollSPASS”: true,
“otp_pin_contents”: “cns”, “otp_pin_maxlength”: “12”,
“otp_pin_minlength”: “6”, “reset”: true, “resync”: true, “setpin”: true,
“unassign”: true, “updateuser”: true }

This is what I want for my Yubikey and OTP-Tokens via FreeOTP etc.

Now I’m deploying SSH keys for my user and I need to enter a PIN with 6
to 12 characters. For SSH keys I don’t see a need to have a PIN. I’ve
tried to create a second user policy, but that policy gives me the
message
There are conflicting opt_pin_minlength definitions!

This is the policy:
{ “enrollSSHKEY”: true, “otp_pin_maxlength”: “0”, “otp_pin_minlength”:
“0” }

An admin user can enroll the SSHkey without a PIN. Is there a way to
achieve that for a regular user too?

Is there a reason to have a PIN on an SSH key?

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)