Hello,
I was wondering where I might find more information about using OTP as an authentication protocol with dovecot. In searching, I found a thread from 2004, but not much information about how it has progressed from then. I also saw some promising patches from mid-last year, which if I had to guess are probably the addition of support for the SASL OTP mechanism. Is this available in a release yet? (And, also: does anyone know of Linux mail clients that support the OTP SASL mechanism? I'm hoping Thunderbird might...).
If not, is it possible to make it work currently with PAM (or, if that's not possible, maybe Cyrus SASL)? It would be okay with me if it can work with PAM but not prompt with the seed/series number: I can scratch off keys no prob.
I tried briefly to get it to work through PAM, and in fact opieinfo told me that the series was being decremented, but auth.log gives
Feb 6 15:41:46 mabruk dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=x.x.x.x user=micah
ssh works fine with the same PAM settings (both include common-auth, which has:)
auth sufficient pam_opie.so auth sufficient pam_unix.so nullok_secure auth required pam_deny.so
-- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer... http://micah.cowan.name/
On 7.2.2007, at 2.12, Micah Cowan wrote:
I was wondering where I might find more information about using OTP
as an authentication protocol with dovecot. In searching, I found a
thread from 2004, but not much information about how it has
progressed from then. I also saw some promising patches from mid- last year, which if I had to guess are probably the addition of
support for the SASL OTP mechanism. Is this available in a release
yet? (And, also: does anyone know of Linux mail clients that
support the OTP SASL mechanism? I'm hoping Thunderbird might...).
CVS HEAD version has support for OTP SASL mechanism. I don't know how
exactly it works though, it was implemented by Andrey Panin.
If not, is it possible to make it work currently with PAM (or, if
that's not possible, maybe Cyrus SASL)? It would be okay with me if
it can work with PAM but not prompt with the seed/series number: I
can scratch off keys no prob.
If it works with PAM, it's via a plaintext auth mechanism (PLAIN or
LOGIN) which just updates the used OTP number. I don't really know
about that either..
Micah Cowan wrote:
mechanism. Is this available in a release yet? (And, also: does anyone know of Linux mail clients that support the OTP SASL mechanism? I'm hoping Thunderbird might...).
I don't know of any Linux-based email clients that support SASL OTP. Fetchmail is the only mail-like - not a client obviously - that does from memory.
But Thunderbird definitely doesn't work with OTP - http://en.wikipedia.org/wiki/Comparison_of_email_clients#Authentication_Supp....
Though from memory there is a commercial solution to integrate Firefox/Thunderbird with OTP (maybe from ActivIdentity?) but not sure how it works its magic.
Regards
James Turnbull
-- James Turnbull james@lovedthanlost.net
Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/)
Hardening Linux (http://www.amazon.com/gp/product/1590594444/)
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
On February 7, 2007 11:48:28 AM +1100 James Turnbull james@lovedthanlost.net wrote:
Micah Cowan wrote:
mechanism. Is this available in a release yet? (And, also: does anyone know of Linux mail clients that support the OTP SASL mechanism? I'm hoping Thunderbird might...).
I don't know of any Linux-based email clients that support SASL OTP. Fetchmail is the only mail-like - not a client obviously - that does from memory.
But Thunderbird definitely doesn't work with OTP - http://en.wikipedia.org/wiki/Comparison_of_email_clients#Authentication_S upport.
It works fine if you just use PAM.
-frank
On February 6, 2007 4:12:02 PM -0800 Micah Cowan micah@cowan.name wrote:
I was wondering where I might find more information about using OTP as an authentication protocol with dovecot.
I found that some (all?) clients login multiple times in a single user visible "session". This makes sense for multithreaded clients, I guess.
So having dovecot do OTP directly is a bit of a chore. What I did was use the auth cache so that an OTP is valid for x amount of time. Works like a charm.
I'm just using PAM with pam_otp_auth (www.tri-dsystems.com).
A better solution might be to require an OTP-authenticated VPN session to get to the IMAP server.
-frank
Frank Cusack wrote:
On February 6, 2007 4:12:02 PM -0800 Micah Cowan micah@cowan.name wrote:
I was wondering where I might find more information about using OTP as an authentication protocol with dovecot.
I found that some (all?) clients login multiple times in a single user visible "session". This makes sense for multithreaded clients, I guess.
So having dovecot do OTP directly is a bit of a chore. What I did was use the auth cache so that an OTP is valid for x amount of time. Works like a charm.
That's what I had planned to do.
I'm just using PAM with pam_otp_auth (www.tri-dsystems.com).
Ah. So, pam_opie maybe is the wrong thing to try to use? Of course, I'm not really interested in shelling out money for a PAM plugin (it's just my personal mailbox; I could probably write my own without too much trouble, if I really had to).
-- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer... http://micah.cowan.name/
On February 6, 2007 7:29:25 PM -0800 Micah Cowan micah@cowan.name wrote:
Frank Cusack wrote:
I'm just using PAM with pam_otp_auth (www.tri-dsystems.com).
Ah. So, pam_opie maybe is the wrong thing to try to use?
pam_opie has to present a challenge, which requires SASL OTP. So that's probably where your issue is.
Of course, I'm not really interested in shelling out money for a PAM plugin (it's just my personal mailbox; I could probably write my own without too much trouble, if I really had to).
Lucky for you pam_otp_auth is free!
-frank
Frank Cusack wrote:
On February 6, 2007 4:12:02 PM -0800 Micah Cowan micah@cowan.name wrote:
I was wondering where I might find more information about using OTP as an authentication protocol with dovecot.
I found that some (all?) clients login multiple times in a single user visible "session". This makes sense for multithreaded clients, I guess.
So having dovecot do OTP directly is a bit of a chore. What I did was use the auth cache so that an OTP is valid for x amount of time. Works like a charm.
That's what I had planned to do.
I'm just using PAM with pam_otp_auth (www.tri-dsystems.com).
Ah. So, pam_opie maybe is the wrong thing to try to use? Of course, I'm not really interested in shelling out money for a PAM plugin (it's just my personal mailbox; I could probably write my own without too much trouble, if I really had to).
-- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer... http://micah.cowan.name/
participants (4)
-
Frank Cusack
-
James Turnbull
-
Micah Cowan
-
Timo Sirainen