https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786 --- Comment #60 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Jonathan Druart from comment #58)
[2] The randomizer (which we should not use) depends on Math::Random::MT. This module says: This algorithm has a very uniform distribution and is good for modelling purposes but do not use it for cryptography. As long as we pass our own stronger secrets, no worries. See [1].
Sorry, you lost me here. Which randomizer module?
See Auth::GoogleAuth: use Math::Random::MT 'rand'; sub generate_secret32 [...] return $self->secret32( join( '', @chars[ map { rand( scalar(@chars) ) } 1 .. 16 ] ) ); Please reread earlier comment.
[3] Martin refers earlier to Authen::OATH. I follow him there, but no blocker.
Why? Did you see my answer on comment 23? On the other hand if we do not longer use the QR code generator from Auth::GoogleAuth there is no bad reason to not switch. But what are your good reasons to switch then? :)
Martin mentions them already. I could only add: the fact that it potentially exposes the secret in a GET parameter, could be reason enough?
[5] This one I did not yet fully tackle. But I have the impression that we have an issue in C4/Auth now. A few times already I had to login twice. This MIGHT be a blocker. Needs still investigation.
Hum, I didn't experience it.
I will be testing it still a bit. Will report later. -- You are receiving this mail because: You are watching all bug changes.