On Thu, 2004-05-13 at 20:16, Johannes Berg wrote:
Hi,
Is there any way to use something like OPIE (one-time passwords in everything, S/KEY) with dovecot?
Here's what I want to do ultimately:
- have an AUTH=XYZ method that relies on S/KEY as provided by the libpam-opie module (well, maybe not through pam)
I didn't really understand how libpam-opie works. Does it require some special client or how does it tell the seed/sequence? Or doesn't it?
But sure, Cyrus SASL has AUTH=OTP mechanism, we could be compatible with that. Want to write it? :) Shouldn't be hard to plug into Dovecot, I just don't really have time right now.
The OTP-data could be stored in same way as PASSDB_CREDENTIALS_DIGEST_MD5. Except the code doesn't currently allow multiple credentials per user, it only uses the beginning of the password field to specify the password type, eg. "{PLAIN}password", "{DIGEST-MD5}digest-md5-credentials", etc. I guess I should do something about that..
- have dovecot advertise authentication as follows:
- local : PLAIN, XYZ
- remote (encrypted) : EXTERNAL, and rely on certificate
- remote (unencrypted): XYZ
Thats the dovecot part. Then I would modify squirrelmail to a) negotiate PLAIN with an authorized web client certificate b) negotiate XYZ when without SSL or SSL without a valid certificate
1.0-test9 supports "ssl_verify_client_cert" option, but then it always requires it .. hmm. maybe with it enabled the configuration could support something like:
auth default { mechanisms = plain .. ssl_require_client_cert = yes }
auth otp { mechanisms = otp .. ssl_require_client_cert = no }
Yes, that looks good, I'll implement that.
Does this sound feasible? I see the following advantages:
- allows checking of webmail on the road, on untrusted computers, giving out only whatever you decide to look at
One problem is that it also gives the possibility to modify the mailbox which isn't very good. From my TODO:
- support read-only logins. user could with alternative password get only read-access to mails so mails could be read relatively safely with untrusted computers. Maybe always send [ALERT] about the previous read-only login time with IP?
Maybe flag changes would be allowed (but not \Deleted). Anyway, this could be configurable as well (append :READONLY to default_mail_env).