[Dovecot] using one-time passwords

Johannes Berg johannes at sipsolutions.de
Mon May 17 06:44:54 EEST 2004


On Mon, 2004-05-17 at 02:24, Timo Sirainen wrote:
> I didn't really understand how libpam-opie works. Does it require some
> special client or how does it tell the seed/sequence? Or doesn't it?

For setting the password, it tells you the seed/sequence (will refer to
that as s/s for now). You then calculate md5^sequence(key) (apply md5
sequence times) and give that to the server. It stores it, and lets you
log in the next time if you can give it md5^(sequence-1)(key). If you
really want to know the gory details -> s/key in opie(4).
Opie uses this inside pam by just making the query string "opie: s/s"
(similar, not identical to that) instead of "Password:".

> But sure, Cyrus SASL has AUTH=OTP mechanism, we could be compatible with
> that. 

Would have to investigate that SASL mechanism.

> Want to write it? :) Shouldn't be hard to plug into Dovecot, I
> just don't really have time right now.

Sure.

> The OTP-data could be stored in same way as
> PASSDB_CREDENTIALS_DIGEST_MD5. Except the code doesn't currently allow
> multiple credentials per user, it only uses the beginning of the
> password field to specify the password type, eg. "{PLAIN}password",
> "{DIGEST-MD5}digest-md5-credentials", etc. I guess I should do something
> about that..

I don't think that matters. In opie, that could be:
{OTP}sequence seed md5 date
or something. You really only need to store one tuple of data per user.

> 1.0-test9 supports "ssl_verify_client_cert" option, but then it always
> requires it .. 

Yeah, I've seen that,...

> hmm. maybe with it enabled the configuration could
> support something like:
> 
> auth default {
>   mechanisms = plain
>   ..
>   ssl_require_client_cert = yes
> }
> 
> auth otp {
>   mechanisms = otp
>   ..
>   ssl_require_client_cert = no
> }
> 
> Yes, that looks good, I'll implement that.

but that looks perfect :-)

> One problem is that it also gives the possibility to modify the mailbox
> which isn't very good. From my TODO:

Good point! Hadn't thought of that so far.

Thanks for your answer. I'll be looking at SASL OTP, and dovecot source.

johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040517/77d14a05/attachment.pgp


More information about the dovecot mailing list