[Dovecot] using one-time passwords
Timo Sirainen
tss at iki.fi
Mon May 17 03:24:51 EEST 2004
On Thu, 2004-05-13 at 20:16, Johannes Berg wrote:
> Hi,
>
> Is there any way to use something like OPIE (one-time passwords in
> everything, S/KEY) with dovecot?
>
> Here's what I want to do ultimately:
> * have an AUTH=XYZ method that relies on S/KEY as provided by the
> libpam-opie module (well, maybe not through pam)
I didn't really understand how libpam-opie works. Does it require some
special client or how does it tell the seed/sequence? Or doesn't it?
But sure, Cyrus SASL has AUTH=OTP mechanism, we could be compatible with
that. Want to write it? :) Shouldn't be hard to plug into Dovecot, I
just don't really have time right now.
The OTP-data could be stored in same way as
PASSDB_CREDENTIALS_DIGEST_MD5. Except the code doesn't currently allow
multiple credentials per user, it only uses the beginning of the
password field to specify the password type, eg. "{PLAIN}password",
"{DIGEST-MD5}digest-md5-credentials", etc. I guess I should do something
about that..
> * have dovecot advertise authentication as follows:
> - local : PLAIN, XYZ
> - remote (encrypted) : EXTERNAL, and rely on certificate
> - remote (unencrypted): XYZ
>
> Thats the dovecot part. Then I would modify squirrelmail to
> a) negotiate PLAIN with an authorized web client certificate
> b) negotiate XYZ when without SSL or SSL without a valid certificate
1.0-test9 supports "ssl_verify_client_cert" option, but then it always
requires it .. hmm. maybe with it enabled the configuration could
support something like:
auth default {
mechanisms = plain
..
ssl_require_client_cert = yes
}
auth otp {
mechanisms = otp
..
ssl_require_client_cert = no
}
Yes, that looks good, I'll implement that.
> Does this sound feasible? I see the following advantages:
> * allows checking of webmail on the road, on untrusted computers,
> giving out only whatever you decide to look at
One problem is that it also gives the possibility to modify the mailbox
which isn't very good. From my TODO:
- support read-only logins. user could with alternative password get only
read-access to mails so mails could be read relatively safely with
untrusted computers. Maybe always send [ALERT] about the previous
read-only login time with IP?
Maybe flag changes would be allowed (but not \Deleted). Anyway, this
could be configurable as well (append :READONLY to default_mail_env).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040517/2477e47f/attachment.pgp
More information about the dovecot
mailing list