Hi Benjamin
Thanks for your input.
I guess I need to take a step back and define some requirements. Currently I have too many options running through my head which has overwhelmed me and is not helping! You are correct in saying that the subject of this post is now incorrect. Maybe is should now be: Two factor for Dovecot and Roundcube for secure remote access
First of all I don't want any of the authentication options to change for all current users. I am the *only* user that requires secure access to webmail while travelling overseas.
So the requirements are:
For all users (except myself) allow them to continue using the system as it is
For me (and possibly some new users in the future), allow a secure way of authenticating with Roundcube so that if the password is recorded with a keylogger, access to my mailbox via IMAP is not possible. (NB: When I say IMAP, I mean non-Roundcibe/HTTP access to my mailbox)
Email clients include: Thunderbird, Outlook, K9 on Android and Roundcube
Yes, I have looked at OTP for Roundcube and currently use Googles Authenticator which works nicely in securing Roundcube ONLY. The OTP AND password is required to login. The OTP is generate on my Android phone.
From what I have gathered, the options for securing logging in from an untrusted machine are:
Use throw away passwords - ie: passwords that can only be used once and can ONLY be used for logging into Roundcube
Use OTP for Dovecot AND Roundcube - I have no idea how to do this
Have a copy of my mailbox (that gets synced with a cron job) and have a completely separate login to access this mailbox. This login will ONLY be used when using Roundcube from an untrusted machine and will NOT be allowed IMAP access (this can be done in the password_query I think). Or use two login accounts to the same mailbox maybe but one account is used for travelling and can't access IMAP?
The important thing here is that if/when the password gets recorded while logging into Roundcube that it can NOT be used to access my mailbox from (say) Thunderbird. Also OTP should not be enforced for the other users (ie: it should be optional).
Does that clarify? Sorry if I'm all over the place but there doesn't seem to be a clear/simple way to achieve what I want. Feel free to ask me more questions and I will try my best to answer so that it clarifies things.
Thank you.
PS: Regarding USB virtual keyboards (like Yubikey), I'd like to avoid them if possible as you can't always connect a USB device to a machine in an internet cafe (sometimes they physically lock the USB ports so they can't be used).
On 06/05/2014 08:44, Benjamin Podszun wrote:
On Tuesday, May 6, 2014 9:26:54 AM CEST, SIW wrote:
I haven't considered Yubikey but I was considering this:
I'm not sure if these USB virtual keyboards are the best option as some internet cafes won't let you plug in USB devices or you don't have the rights to install it (I know they say it doesn't require drivers but some machines are locked down good)
I'd be surprised if these machines wouldn't support plain USB keyboards. Probably the keyboard you'll use at these machines isn't PS/2 anymore..
From what I have read it sounds like I need to have two passwords for one login...one for Roundcube (with OTP) and one for IMAP access. I think the key to this is to ONLY allow the IMAP password to be used with IMAP and for the Roundcube password (with OTP) to ONLY have access to Roundcube. That way if the Roundcube password gets recorded/keylogged then they can't use it with IMAP. Is this possible? (ie: bind/enforce a particular password to one type of service)
I think you're confused. Take a step back. You came with a ~strange~ requirement (see subject, by now you understand that 'disable imap for one user' isn't what you want). You provided not enough details to proceed and I think you are still not quite sure what you want to do here.
The thought process you outline above isn't clear. I _assume_ (note: Please confirm/deny) you looked at OTP solutions that are roundcube only, i.e. that are implemented in PHP. That'd mean that there's no OTP support in your dovecot setup and plain/direct imap connections use nothing but your regular password. Furthermore it seems that you confuse/mix OTPs with two-factor authentication and assume the latter with the Roundcube-only setup I believe to understand above. That is, you log in to your Roundcube site with
- your regular password AND
- something else (call it OTP)
Only under these circumstances it makes sense that you consider OTPs to be broken for your threat model: A keylogger has now your regular password and a useless OTP, but needs only the regular password for dovecot because the OTP support is bolted on/a hack in the wrong place.
I still think you want OTP support in dovecot itself. It might be possible to hack the Roundcube thing (still leaning heavily on my assumptions above) to require _just_ a OTP, but that'd require Roundcube to be able to login without you transmitting your real password. That'd fix the hack for 'someone logged my keys', but isn't much of an improvement overall.
Another option, is it possible to have my main account and use it with IMAP but have a SECOND set of login credentials that I only use for Roundcube but can access my mailbox of the the other account?
Yes, that would be possible and I pointed to a specific part of the documentation for that. You could, without too much effort, support accounts with multiple passwords, whatever that would be good for.
I'm still battling with this!
See above: Please reflect a moment, check the facts you provided and fill in the missing details.