[Dovecot] using one-time passwords

Johannes Berg johannes at sipsolutions.de
Thu May 13 20:16:34 EEST 2004


Is there any way to use something like OPIE (one-time passwords in
everything, S/KEY) with dovecot?

Here's what I want to do ultimately:
 * have an AUTH=XYZ method that relies on S/KEY as provided by the
   libpam-opie module (well, maybe not through pam)
 * have dovecot advertise authentication as follows:
   - local               : PLAIN, XYZ
   - remote (encrypted)  : EXTERNAL, and rely on certificate
   - remote (unencrypted): XYZ

Thats the dovecot part. Then I would modify squirrelmail to
  a) negotiate PLAIN with an authorized web client certificate
  b) negotiate XYZ when without SSL or SSL without a valid certificate

This way I could check my mail even from computers that I don't trust at
all to not do key-logging, since I can have an S/KEY generator on my

Does this sound feasible? I see the following advantages:
 * allows checking of webmail on the road, on untrusted computers, 
   giving out only whatever you decide to look at
 * allows checking of mail via unencrypted IMAP, relying on one-time
   passwords so giving an attacker only whatever he can look at while
   your session is active (assuming he can't insert anything into the
   tcp stream...)
 * is otherwise encrypted, and then doesn't force using one-time keys
   which may be somewhat a hassle to generate.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040513/f7477224/attachment-0001.bin>

More information about the dovecot mailing list