On Tue, Jul 24, 2007 at 09:42:29AM +0300, Timo Sirainen wrote:
On Mon, 2007-07-23 at 17:15 +0200, Frank Behrens wrote:
Solution 1: When PAM is configured for IMAP the user can use a one-time-password in the same way as before. The problem is, that the user must know the sequence number for the password (otp challenge), so we need a way to display it. The PAM module supplies the otp challenge in the conversation function, but the challenge is not processed by the IMAP server. My proposal: The IMAP server stores the challenge from the conversation function and includes it in the LOGIN response, when the login was not successful. So a user can try a login with a wrong dummy password and get knowlegdge about the current otp sequence.
I'd like to see your patch for this. I've no idea how pam_otp works.
I don't know a lot about the IMAP protocol's intricacies, but would it not be cleaner to either:
a) provide the otp sequence as a capability (e.g. X-OTP-SEQ=1234), or
b) provide a dovecot-specific IMAP command for finding out the current sequence value (e.g. X-OTP-SEQ)
The sending of a dummy password to retrieve the LOGIN response seems like a bit of a hack (no offense to Frank - I'm keen to see this OTP idea implemented), but again, the above is written without much knowledge of the IMAP protocol.
Jasper