[Dovecot] using one-time passwords

Timo Sirainen tss at iki.fi
Tue May 18 15:23:08 EEST 2004


On 17.5.2004, at 13:11, Johannes Berg wrote:

> Looking at the code I see that you support cyrus SASL, and cyrus SASL 
> in
> turn supports OTP even using the same database as OPIE uses.
> Would there be and disadvantage in simply using that?

Personally I have never liked Cyrus SASL. It's always been annoyingly 
difficult to configure to work like I wanted.

The code there to support it isn't actually working right now, but I 
guess it wouldn't be too difficult to fix it.

I guess there aren't any real disadvangates though.

> Alternatively,
> what about just libopie (the library behind opie-pam)?

That doesn't look very good code .. Looks like if it was possible for 
user to set wanted seed there would be several buffer overflows. But I 
guess normally it's not?

> Over all, its not
> hard to implement this in dovecot itself, but I'm not sure that would 
> be
> the best idea. What is your opinion on that?

The reason why I implemented my own authentication instead of just 
using Cyrus SASL was that I wanted to be sure there were not going to 
be any serious security holes. I could have just audited the code, make 
sure the found security holes were fixed (actually did both once), and 
then just use it. But that doesn't give any guarantees about it's 
future versions, I'd have to constantly keep auditing the new versions 
to make sure they hadn't added more bugs.

Anyway, it's OTP code didn't look bad. That would be the easiest way to 
get it working.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20040518/5e629b56/PGP.pgp


More information about the dovecot mailing list