Jasper Bryant-Greene jasper@albumltd.co.nz wrote on 24 Jul 2007 23:40:
a) provide the otp sequence as a capability (e.g. X-OTP-SEQ=1234), or
b) provide a dovecot-specific IMAP command for finding out the current sequence value (e.g. X-OTP-SEQ)
The sending of a dummy password to retrieve the LOGIN response seems like a bit of a hack (no offense to Frank - I'm keen to see this OTP idea implemented), but again, the above is written without much knowledge of the IMAP protocol.
The problem is, that the OTP sequence is user dependent. When you use PAM you can't determine, if a user uses OTP until you try a login (you call pam_authenticate()).
There is a existing mechanism in IMAP: SASL with OTP. But in that case you can not use the operating system configuration with PAM, but the IMAP server must handle the OTP challenge itself. I believe this is integrated in new dovecot 1.1 version. A problem with this setup is, that you need special support by a webmail client. I did'nt find any (easy) solution with suport for it, with the exeption of an extra IMAP-OTP-proxy server.
Or another view: Until now dovecot (and I believe nearly all other IMAP servers) use PAM in a restricted form only. PAM means
- you define all login capabilities and security restrictions and databases in the operating system.
- when you try to authenticate a user, the PAM module requests the information via callbacks. That means a prompt is displayed for user name, user name is passed to PAM. Then a prompt for password is displayed, the password is passed to PAM. Theoretically this can be continued. With traditional IMAP LOGIN (I do not speak about SASL) the client supplies username and password together and this must be mapped to the callback sequence. Here the PAM prompts are ignored and in case for OTP they contain important information. My (probably non standard IMAP) extension creates the possibility to return the PAM callback message to the user.
When you thing about it: A webmail client and the different IMAP login mechanisms fit not very well together. So some posters are right: you should better use a "real" IMAP client. But IMHO webmail is a useful solution, when you are on vacation or business travel and want to acces your email. And together with one time passwords the security risk is not too high, so you can use it.
Regards, Frank
Frank Behrens, Osterwieck, Germany PGP-key 0x5B7C47ED on public servers available.