Selective authentication mechanism
Hi all!
I have been using GSSAPI authentication method for all my externally reachable endpoints for some time under the theory that they cannot be hit with a dictionary attack. Unfortunately, this means iOS devices cannot log in since they (oddly) cannot use GSSAPI. I say “oddly” because desktop Mac mail can use GSSAPI just fine and https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-... goes through how to set it up for web pages.
In any event, what I’m looking to do is use a filter (https://wiki.dovecot.org/ConfigFile#Filters) around the auth_mechanisms such that it will allow plain authentication when the client is on a local network or the VPN. Unfortunately, the fine print on filters says "These filters work for most of the settings, but most importantly auth settings currently only support the protocol filter”.
I guess it’s kind of academic, but I thought I’d ask why this is a limitation? If there is not a profound security reason to not support this, is this a good enough use case to consider it?
Thanks! Brian
On 14.02.2018 20:39, Brian Topping wrote:
Hi all!
I have been using GSSAPI authentication method for all my externally reachable endpoints for some time under the theory that they cannot be hit with a dictionary attack. Unfortunately, this means iOS devices cannot log in since they (oddly) cannot use GSSAPI. I say “oddly” because desktop Mac mail can use GSSAPI just fine and https://samuelyates.wordpress.com/2013/10/11/kerberos-single-sign-on-in-ios-... goes through how to set it up for web pages.
In any event, what I’m looking to do is use a filter (https://wiki.dovecot.org/ConfigFile#Filters) around the auth_mechanisms such that it will allow plain authentication when the client is on a local network or the VPN. Unfortunately, the fine print on filters says "These filters work for most of the settings, but most importantly auth settings currently only support the protocol filter”.
I guess it’s kind of academic, but I thought I’d ask why this is a limitation? If there is not a profound security reason to not support this, is this a good enough use case to consider it?
Thanks! Brian
Hi Brian,
you can return allo_nets in your passdb to limit which networks the passdb is valid for. See https://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets
Aki
participants (2)
-
Aki Tuomi
-
Brian Topping