13 May
2004
13 May
'04
8:16 p.m.
Hi,
Is there any way to use something like OPIE (one-time passwords in everything, S/KEY) with dovecot?
Here's what I want to do ultimately:
- have an AUTH=XYZ method that relies on S/KEY as provided by the libpam-opie module (well, maybe not through pam)
- have dovecot advertise authentication as follows:
- local : PLAIN, XYZ
- remote (encrypted) : EXTERNAL, and rely on certificate
- remote (unencrypted): XYZ
Thats the dovecot part. Then I would modify squirrelmail to a) negotiate PLAIN with an authorized web client certificate b) negotiate XYZ when without SSL or SSL without a valid certificate
This way I could check my mail even from computers that I don't trust at all to not do key-logging, since I can have an S/KEY generator on my cell-phone.
Does this sound feasible? I see the following advantages:
- allows checking of webmail on the road, on untrusted computers, giving out only whatever you decide to look at
- allows checking of mail via unencrypted IMAP, relying on one-time passwords so giving an attacker only whatever he can look at while your session is active (assuming he can't insert anything into the tcp stream...)
- is otherwise encrypted, and then doesn't force using one-time keys which may be somewhat a hassle to generate.
johannes