On Tuesday, May 6, 2014 9:26:54 AM CEST, SIW wrote:
I haven't considered Yubikey but I was considering this:
I'm not sure if these USB virtual keyboards are the best option as some internet cafes won't let you plug in USB devices or you don't have the rights to install it (I know they say it doesn't require drivers but some machines are locked down good)
I'd be surprised if these machines wouldn't support plain USB keyboards. Probably the keyboard you'll use at these machines isn't PS/2 anymore..
From what I have read it sounds like I need to have two passwords for one login...one for Roundcube (with OTP) and one for IMAP access. I think the key to this is to ONLY allow the IMAP password to be used with IMAP and for the Roundcube password (with OTP) to ONLY have access to Roundcube. That way if the Roundcube password gets recorded/keylogged then they can't use it with IMAP. Is this possible? (ie: bind/enforce a particular password to one type of service)
I think you're confused. Take a step back. You came with a ~strange~ requirement (see subject, by now you understand that 'disable imap for one user' isn't what you want). You provided not enough details to proceed and I think you are still not quite sure what you want to do here.
The thought process you outline above isn't clear. I _assume_ (note: Please confirm/deny) you looked at OTP solutions that are roundcube only, i.e. that are implemented in PHP. That'd mean that there's no OTP support in your dovecot setup and plain/direct imap connections use nothing but your regular password. Furthermore it seems that you confuse/mix OTPs with two-factor authentication and assume the latter with the Roundcube-only setup I believe to understand above. That is, you log in to your Roundcube site with
- your regular password AND
- something else (call it OTP)
Only under these circumstances it makes sense that you consider OTPs to be broken for your threat model: A keylogger has now your regular password and a useless OTP, but needs only the regular password for dovecot because the OTP support is bolted on/a hack in the wrong place.
I still think you want OTP support in dovecot itself. It might be possible to hack the Roundcube thing (still leaning heavily on my assumptions above) to require _just_ a OTP, but that'd require Roundcube to be able to login without you transmitting your real password. That'd fix the hack for 'someone logged my keys', but isn't much of an improvement overall.
Another option, is it possible to have my main account and use it with IMAP but have a SECOND set of login credentials that I only use for Roundcube but can access my mailbox of the the other account?
Yes, that would be possible and I pointed to a specific part of the documentation for that. You could, without too much effort, support accounts with multiple passwords, whatever that would be good for.
I'm still battling with this!
See above: Please reflect a moment, check the facts you provided and fill in the missing details.
On 06/05/2014 00:06, Professa Dementia wrote:
On 5/5/2014 3:30 PM, Benjamin Podszun wrote: ...