[Dovecot] using one-time passwords

Timo Sirainen tss at iki.fi
Mon May 17 03:24:51 EEST 2004


On Thu, 2004-05-13 at 20:16, Johannes Berg wrote:
> Hi,
> 
> Is there any way to use something like OPIE (one-time passwords in
> everything, S/KEY) with dovecot?
> 
> Here's what I want to do ultimately:
>  * have an AUTH=XYZ method that relies on S/KEY as provided by the
>    libpam-opie module (well, maybe not through pam)

I didn't really understand how libpam-opie works. Does it require some
special client or how does it tell the seed/sequence? Or doesn't it?

But sure, Cyrus SASL has AUTH=OTP mechanism, we could be compatible with
that. Want to write it? :) Shouldn't be hard to plug into Dovecot, I
just don't really have time right now.

The OTP-data could be stored in same way as
PASSDB_CREDENTIALS_DIGEST_MD5. Except the code doesn't currently allow
multiple credentials per user, it only uses the beginning of the
password field to specify the password type, eg. "{PLAIN}password",
"{DIGEST-MD5}digest-md5-credentials", etc. I guess I should do something
about that..

>  * have dovecot advertise authentication as follows:
>    - local               : PLAIN, XYZ
>    - remote (encrypted)  : EXTERNAL, and rely on certificate
>    - remote (unencrypted): XYZ
> 
> Thats the dovecot part. Then I would modify squirrelmail to
>   a) negotiate PLAIN with an authorized web client certificate
>   b) negotiate XYZ when without SSL or SSL without a valid certificate

1.0-test9 supports "ssl_verify_client_cert" option, but then it always
requires it .. hmm. maybe with it enabled the configuration could
support something like:

auth default {
  mechanisms = plain
  ..
  ssl_require_client_cert = yes
}

auth otp {
  mechanisms = otp
  ..
  ssl_require_client_cert = no
}

Yes, that looks good, I'll implement that.

> Does this sound feasible? I see the following advantages:
>  * allows checking of webmail on the road, on untrusted computers, 
>    giving out only whatever you decide to look at

One problem is that it also gives the possibility to modify the mailbox
which isn't very good. From my TODO:

 - support read-only logins. user could with alternative password get only
   read-access to mails so mails could be read relatively safely with
   untrusted computers. Maybe always send [ALERT] about the previous
   read-only login time with IP?

Maybe flag changes would be allowed (but not \Deleted). Anyway, this
could be configurable as well (append :READONLY to default_mail_env).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040517/2477e47f/attachment.pgp


More information about the dovecot mailing list