[Dovecot] using one-time passwords

Johannes Berg johannes at sipsolutions.de
Tue May 18 17:20:34 EEST 2004

On Tue, 2004-05-18 at 14:23, Timo Sirainen wrote:
> Personally I have never liked Cyrus SASL. It's always been annoyingly
> difficult to configure to work like I wanted.

I don't have experience with it, so ... :)

> The code there to support it isn't actually working right now, but I
> guess it wouldn't be too difficult to fix it.

I might try this.

> That doesn't look very good code .. Looks like if it was possible for
> user to set wanted seed there would be several buffer overflows. But I
> guess normally it's not?

I'm not sure I understand you.
opiepasswd allows you to set the seed when changing your otp settings. I
guess I'll need to look at the code, though I'm not really a C wizard
nor very knowledgeable about insecure C code. Can you explain further
what possible problems you see?

> The reason why I implemented my own authentication instead of just
> using Cyrus SASL was that I wanted to be sure there were not going to
> be any serious security holes. I could have just audited the code, make
> sure the found security holes were fixed (actually did both once), and
> then just use it. But that doesn't give any guarantees about it's
> future versions, I'd have to constantly keep auditing the new versions
> to make sure they hadn't added more bugs.

Makes sense.

> Anyway, it's OTP code didn't look bad. That would be the easiest way to
> get it working.

Right. Cyrus SASL can (optionally) use opie as well.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040518/b5352f1d/attachment-0001.bin>

More information about the dovecot mailing list