[Dovecot] Logon with Client Certificate and OTP fallback
Dear Dovecot experts,
we have unusual authentication requirements, namely:
almost all of our user are using a smartcard to connect with our mailserver. Thunderbird is our friend here as it will use the smartcard as an additional certificate store and Thunderbird will do client certificate based authentication when connecting via SSL with a mailserver
there's no way (at least that I know of) for our iPad users to use a smartcard, so our iPad and iPhone users use OTP token (http://www.gooze.eu/catalog/otp-tokens-oath-0)
For 10 years we are using a very simple POP3-server where I replaced the authentication routines with my own functions and these function are doing the following:
- if the connection was made without SSL refuse to connect
- if the client was using a client certificate extract the username from the certificate. Since we cannot stop Thunderbird from sending a username/passowrd-combination we compare the username from the certificate with the username Thunderbird has sent. If the usernames matches we allow access and ignore the password.
- if the client did not sent a client certificate we calculate the current OneTimePassword of the users OTP-token and compare that with the password Thunderbird has sent. If the passwords matches we allow access. If a OTP-password was validated it can be used for 24 hours so our OTP-users must use their tokens only once a day.
Now we would like to switch from POP3 to IMAP, so here are my questions:
can Dovecot be CONFIGURED to do the above. I compiled it yesterday and SSL client authentication works as expected. OTP seems to be supported via PAM and I can write a PAM-modul for our OTP-tokens, so OTP would be possible too. But how do I tell Dovecot to do OTP-auth as a fallback for ClientCert-auth.
I already looked into the sourcecode of Dovecot. Seems like all the authentication routines were built as pluggable modules. Is there any documentation out there on how how to built my own auth-module. Integrating the OTP-auth directly into Dovecot would be a lot easier (for me) than creating a PAM-module, so I would prefer that. If there was interest from other people I would add some configuration options to Dovecot (for example the location of the OTP-token list). Otherwise I would just hardcode everything into the source.
Peter
Am 10.03.2013 11:28, schrieb dovecot.pkoch@dfgh.net:
Dear Dovecot experts,
we have unusual authentication requirements, namely:
almost all of our user are using a smartcard to connect with our mailserver. Thunderbird is our friend here as it will use the smartcard as an additional certificate store and Thunderbird will do client certificate based authentication when connecting via SSL with a mailserver
there's no way (at least that I know of) for our iPad users to use a smartcard, so our iPad and iPhone users use OTP token (http://www.gooze.eu/catalog/otp-tokens-oath-0)
For 10 years we are using a very simple POP3-server where I replaced the authentication routines with my own functions and these function are doing the following:
- if the connection was made without SSL refuse to connect
- if the client was using a client certificate extract the username from the certificate. Since we cannot stop Thunderbird from sending a username/passowrd-combination we compare the username from the certificate with the username Thunderbird has sent. If the usernames matches we allow access and ignore the password.
- if the client did not sent a client certificate we calculate the current OneTimePassword of the users OTP-token and compare that with the password Thunderbird has sent. If the passwords matches we allow access. If a OTP-password was validated it can be used for 24 hours so our OTP-users must use their tokens only once a day.
Now we would like to switch from POP3 to IMAP, so here are my questions:
can Dovecot be CONFIGURED to do the above. I compiled it yesterday and SSL client authentication works as expected. OTP seems to be supported via PAM and I can write a PAM-modul for our OTP-tokens, so OTP would be possible too. But how do I tell Dovecot to do OTP-auth as a fallback for ClientCert-auth.
I already looked into the sourcecode of Dovecot. Seems like all the authentication routines were built as pluggable modules. Is there any documentation out there on how how to built my own auth-module. Integrating the OTP-auth directly into Dovecot would be a lot easier (for me) than creating a PAM-module, so I would prefer that. If there was interest from other people I would add some configuration options to Dovecot (for example the location of the OTP-token list). Otherwise I would just hardcode everything into the source.
Peter
try read
http://wiki2.dovecot.org/PasswordDatabase/PAM
... This can be useful with e.g. pam_opie to find out which one time password you're supposed to give:
1 LOGIN username otp 1 NO otp-md5 324 0x1578 ext, Response: ...
Best Regards MfG Robert Schetterer
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Joerg Heidrich
Hi Robert
2013/3/10 Robert Schetterer - rs@sys4.de < dovecot.pkoch.74fa2fe130.rs#sys4.de@ob.0sg.net>
try read
http://wiki2.dovecot.org/PasswordDatabase/PAM
... This can be useful with e.g. pam_opie to find out which one time password you're supposed to give:
1 LOGIN username otp 1 NO otp-md5 324 0x1578 ext, Response:
I don't worry about how to use Dovecot with either SSL Client-Certitifaces or our OTP-token. SSL ClientCerts do work as expected and using our token is just a matter of finding the right PAM-module. pam_opie is the wrong module as OPIE is a method to pregenerate a list of One Time Passwords in software. What we are using is a hardware token that generates One Time Password as described in RFC 4226. There are PAM-modules out there that might do the job but since I have implemented the algorithm already into our POP3-server I could built a PAM-module myself.
What I would like to know in advance is: How do I configure Dovecot such that SSL Client-Auth is used with priority 1 and OTP-auth is used only for SSL-connections without a ClientCert. Non-SSL connections should not be allowed at all.
If that combination was not possible I'm hoping to get some hints on how to change the Dovecot source.
Kind regards
Peter
On 10.3.2013, at 12.28, dovecot.pkoch@dfgh.net wrote:
For 10 years we are using a very simple POP3-server where I replaced the authentication routines with my own functions and these function are doing the following:
- if the connection was made without SSL refuse to connect
- if the client was using a client certificate extract the username from the certificate. Since we cannot stop Thunderbird from sending a username/passowrd-combination we compare the username from the certificate with the username Thunderbird has sent. If the usernames matches we allow access and ignore the password.
- if the client did not sent a client certificate we calculate the current OneTimePassword of the users OTP-token and compare that with the password Thunderbird has sent. If the passwords matches we allow access. If a OTP-password was validated it can be used for 24 hours so our OTP-users must use their tokens only once a day.
Now we would like to switch from POP3 to IMAP, so here are my questions:
- can Dovecot be CONFIGURED to do the above. I compiled it yesterday and SSL client authentication works as expected. OTP seems to be supported via PAM and I can write a PAM-modul for our OTP-tokens, so OTP would be possible too. But how do I tell Dovecot to do OTP-auth as a fallback for ClientCert-auth.
Create a passdb that succeeds if user has a valid SSL client cert. http://wiki2.dovecot.org/Variables has %k which is "valid" if client has it set. There are several ways you can do this .. for example with sqlite do a SELECT that checks for %k. Another possibility is a checkpassword script.
The secondary passdb would then be the OTP.
- I already looked into the sourcecode of Dovecot. Seems like all the authentication routines were built as pluggable modules. Is there any documentation out there on how how to built my own auth-module. Integrating the OTP-auth directly into Dovecot would be a lot easier (for me) than creating a PAM-module, so I would prefer that. If there was interest from other people I would add some configuration options to Dovecot (for example the location of the OTP-token list). Otherwise I would just hardcode everything into the source.
See how the auth process already can build an ldap plugin. For outside sources you can build auth plugins the same way as any other plugins. http://dovecot.org/patches/ has many such example plugins. Or see how Pigeonhole does it with autotools.
participants (3)
-
dovecot.pkoch@dfgh.net
-
Robert Schetterer
-
Timo Sirainen