[Dovecot] Logon with Client Certificate and OTP fallback (dovecot: message 4 of 20)

dovecot.pkoch at dfgh.net dovecot.pkoch at dfgh.net
Sun Mar 10 15:09:41 EET 2013


Hi Robert

2013/3/10 Robert Schetterer - rs at sys4.de <
dovecot.pkoch.74fa2fe130.rs#sys4.de at ob.0sg.net>

> try read
>
> http://wiki2.dovecot.org/PasswordDatabase/PAM
>
> ...
> This can be useful with e.g. pam_opie to find out which one time
> password you're supposed to give:
>
> 1 LOGIN username otp
> 1 NO otp-md5 324 0x1578 ext, Response:
>

I don't worry about how to use Dovecot with either SSL Client-Certitifaces
or our OTP-token. SSL ClientCerts do work as expected and using
our token is just a matter of finding the right PAM-module. pam_opie is
the wrong module as OPIE is a method to pregenerate a list of One Time
Passwords in software. What we are using is a hardware token that
generates One Time Password as described in RFC 4226. There
are PAM-modules out there that might do the job but since I have
implemented the algorithm already into our POP3-server I could
built a PAM-module myself.

What I would like to know in advance is: How do I configure Dovecot
such that SSL Client-Auth is used with priority 1 and OTP-auth is used
only for SSL-connections without a ClientCert. Non-SSL connections should
not be allowed at all.

If that combination was not possible I'm hoping to get some hints
on how to change the Dovecot source.

Kind regards

Peter


More information about the dovecot mailing list