[Dovecot] using one-time passwords
Johannes Berg
johannes at sipsolutions.de
Mon May 17 06:44:54 EEST 2004
On Mon, 2004-05-17 at 02:24, Timo Sirainen wrote:
> I didn't really understand how libpam-opie works. Does it require some
> special client or how does it tell the seed/sequence? Or doesn't it?
For setting the password, it tells you the seed/sequence (will refer to
that as s/s for now). You then calculate md5^sequence(key) (apply md5
sequence times) and give that to the server. It stores it, and lets you
log in the next time if you can give it md5^(sequence-1)(key). If you
really want to know the gory details -> s/key in opie(4).
Opie uses this inside pam by just making the query string "opie: s/s"
(similar, not identical to that) instead of "Password:".
> But sure, Cyrus SASL has AUTH=OTP mechanism, we could be compatible with
> that.
Would have to investigate that SASL mechanism.
> Want to write it? :) Shouldn't be hard to plug into Dovecot, I
> just don't really have time right now.
Sure.
> The OTP-data could be stored in same way as
> PASSDB_CREDENTIALS_DIGEST_MD5. Except the code doesn't currently allow
> multiple credentials per user, it only uses the beginning of the
> password field to specify the password type, eg. "{PLAIN}password",
> "{DIGEST-MD5}digest-md5-credentials", etc. I guess I should do something
> about that..
I don't think that matters. In opie, that could be:
{OTP}sequence seed md5 date
or something. You really only need to store one tuple of data per user.
> 1.0-test9 supports "ssl_verify_client_cert" option, but then it always
> requires it ..
Yeah, I've seen that,...
> hmm. maybe with it enabled the configuration could
> support something like:
>
> auth default {
> mechanisms = plain
> ..
> ssl_require_client_cert = yes
> }
>
> auth otp {
> mechanisms = otp
> ..
> ssl_require_client_cert = no
> }
>
> Yes, that looks good, I'll implement that.
but that looks perfect :-)
> One problem is that it also gives the possibility to modify the mailbox
> which isn't very good. From my TODO:
Good point! Hadn't thought of that so far.
Thanks for your answer. I'll be looking at SASL OTP, and dovecot source.
johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040517/77d14a05/attachment.pgp
More information about the dovecot
mailing list