Andrew, that does sound better, but it is unfortunately that was more than I could really ask for the remote admin.
This sounds like it could be implemented as an external authentication method in acs-authentication, if it isn't already.
It isn't, but I'm looking at doing so.
