On Mon, 2004-05-17 at 02:24, Timo Sirainen wrote:
I didn't really understand how libpam-opie works. Does it require some special client or how does it tell the seed/sequence? Or doesn't it?
For setting the password, it tells you the seed/sequence (will refer to that as s/s for now). You then calculate md5^sequence(key) (apply md5 sequence times) and give that to the server. It stores it, and lets you log in the next time if you can give it md5^(sequence-1)(key). If you really want to know the gory details -> s/key in opie(4). Opie uses this inside pam by just making the query string "opie: s/s" (similar, not identical to that) instead of "Password:".
But sure, Cyrus SASL has AUTH=OTP mechanism, we could be compatible with that.
Would have to investigate that SASL mechanism.
Want to write it? :) Shouldn't be hard to plug into Dovecot, I just don't really have time right now.
Sure.
The OTP-data could be stored in same way as PASSDB_CREDENTIALS_DIGEST_MD5. Except the code doesn't currently allow multiple credentials per user, it only uses the beginning of the password field to specify the password type, eg. "{PLAIN}password", "{DIGEST-MD5}digest-md5-credentials", etc. I guess I should do something about that..
I don't think that matters. In opie, that could be: {OTP}sequence seed md5 date or something. You really only need to store one tuple of data per user.
1.0-test9 supports "ssl_verify_client_cert" option, but then it always requires it ..
Yeah, I've seen that,...
hmm. maybe with it enabled the configuration could support something like:
auth default { mechanisms = plain .. ssl_require_client_cert = yes }
auth otp { mechanisms = otp .. ssl_require_client_cert = no }
Yes, that looks good, I'll implement that.
but that looks perfect :-)
One problem is that it also gives the possibility to modify the mailbox which isn't very good. From my TODO:
Good point! Hadn't thought of that so far.
Thanks for your answer. I'll be looking at SASL OTP, and dovecot source.
johannes