On Mon, 2007-07-23 at 17:15 +0200, Frank Behrens wrote:
Solution 1: When PAM is configured for IMAP the user can use a one-time-password in the same way as before. The problem is, that the user must know the sequence number for the password (otp challenge), so we need a way to display it. The PAM module supplies the otp challenge in the conversation function, but the challenge is not processed by the IMAP server. My proposal: The IMAP server stores the challenge from the conversation function and includes it in the LOGIN response, when the login was not successful. So a user can try a login with a wrong dummy password and get knowlegdge about the current otp sequence.
I'd like to see your patch for this. I've no idea how pam_otp works.
Solution 3: When we configure PAM we can restrict/allow it's use depending on IP address of client. Unfortunately with a webmail client the IMAP client is always the the webserver. It should be possible, that the webserver forwards the client IP address to the IMAP server. Furthermore to use dovecot's login cache as described above in a safe manner, the IP address should be compared, too. My proposal: Create a new IMAP command "XSETREMOTEIP". With this IMAP extension a client can set the real IP address of remote client. The access to this command is restricted to the webserver with a new configuration parameter "trusted clients", which holds an IP address with mask.
Cyrus Murder has something similar to this I think. We could make it compatible with it.