On Thu, Jul 18, 2019 at 01:37:11PM -0700, Quanah Gibson-Mount wrote:
This should be a configuration item that is an integer value of the number of seconds to allow outside of the timeslice, with 0 meaning only the default time slice is allowed. Allowing people to authenticate outside of the time slice is of course a security issue and should not be allowed by default (So the default value of the parameter should be 0).
I don't disagree, but by that logic so should the actual size of the time window, the number of digits, etc. I saw a lot of these parameters were hard-coded in this module and proceeded in kind. I wasn't really trying to recreate the full functionality of the OpenLDAP Gold implementation[1].
Would a default-off ifdef to activate that code block work for this? I did intentionally keep that part of the change self contained, so it wouldn't be hard to add that...
[1] https://symas.com/two-factor-authentication-everywhere