[Dovecot] using one-time passwords
Johannes Berg
johannes at sipsolutions.de
Thu May 13 20:16:34 EEST 2004
Hi,
Is there any way to use something like OPIE (one-time passwords in
everything, S/KEY) with dovecot?
Here's what I want to do ultimately:
* have an AUTH=XYZ method that relies on S/KEY as provided by the
libpam-opie module (well, maybe not through pam)
* have dovecot advertise authentication as follows:
- local : PLAIN, XYZ
- remote (encrypted) : EXTERNAL, and rely on certificate
- remote (unencrypted): XYZ
Thats the dovecot part. Then I would modify squirrelmail to
a) negotiate PLAIN with an authorized web client certificate
b) negotiate XYZ when without SSL or SSL without a valid certificate
This way I could check my mail even from computers that I don't trust at
all to not do key-logging, since I can have an S/KEY generator on my
cell-phone.
Does this sound feasible? I see the following advantages:
* allows checking of webmail on the road, on untrusted computers,
giving out only whatever you decide to look at
* allows checking of mail via unencrypted IMAP, relying on one-time
passwords so giving an attacker only whatever he can look at while
your session is active (assuming he can't insert anything into the
tcp stream...)
* is otherwise encrypted, and then doesn't force using one-time keys
which may be somewhat a hassle to generate.
johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040513/f7477224/attachment.pgp
More information about the dovecot
mailing list