On Monday, May 5, 2014 11:49:52 PM CEST, SIW wrote:
I'm beginning to wonder if I am going about this all wrong :-)
No offense: I'm thinking the same thing. ;-)
Would it not be easier/better to leave all IMAP/SMTP access in place (for all users) and then just use "one time throw away passwords" for logging in from an internet cafe with Roundcube?
YES! Yes, that should be possible. It seems that [1] says that dovecot supports OTP and S/Key by default, using PAM would allow you to use more than that (i.e. plug in a yubikey or whatever). Obviously moving to PAM might not be an option with your virtual users.
Can this be done? So after you login it just deletes the password you have logged in with. Can you have one username with many (throw away) passwords? But keep one password that is used for IMAP/Thunderbird as you don't want that password being deleted/removed from the system!
Well, you certainly can have multiple passwords per user as far as I can tell: [2] lists ways to do the 'password verification by sql server' and that should allow you to have a way to switch between different passwords for the same user. That said, that still sounds .. not that nice. The best way would be to support two-factor/OTP in dovecot itself and while the latter is documented as 'supported' (again, see [1]), the documentation HOW that is going to work seems to be missing. [3]
At the moment I'd say your best bet would be to wait for some dovecot developers to chime in and help with the OTP or S/Key stuff. Messing with the SQL Query is a hack, ugly and .. well: You still leak your password, if password/otp is 'Roundcube only'.
On a sidenote: This guy [4] isn't you, is it? Seems like someone's evaluating the same thing (with the same threat model) just now.
Ben
1: http://wiki2.dovecot.org/Authentication/Mechanisms 2: http://wiki2.dovecot.org/AuthDatabase/SQL 3: And boy is searching the wiki evil and .. unintuitive.. 4: https://forums.freebsd.org/viewtopic.php?f=43&t=45341