[Dovecot] using one-time passwords
Timo Sirainen
tss at iki.fi
Tue May 18 15:23:08 EEST 2004
On 17.5.2004, at 13:11, Johannes Berg wrote:
> Looking at the code I see that you support cyrus SASL, and cyrus SASL
> in
> turn supports OTP even using the same database as OPIE uses.
> Would there be and disadvantage in simply using that?
Personally I have never liked Cyrus SASL. It's always been annoyingly
difficult to configure to work like I wanted.
The code there to support it isn't actually working right now, but I
guess it wouldn't be too difficult to fix it.
I guess there aren't any real disadvangates though.
> Alternatively,
> what about just libopie (the library behind opie-pam)?
That doesn't look very good code .. Looks like if it was possible for
user to set wanted seed there would be several buffer overflows. But I
guess normally it's not?
> Over all, its not
> hard to implement this in dovecot itself, but I'm not sure that would
> be
> the best idea. What is your opinion on that?
The reason why I implemented my own authentication instead of just
using Cyrus SASL was that I wanted to be sure there were not going to
be any serious security holes. I could have just audited the code, make
sure the found security holes were fixed (actually did both once), and
then just use it. But that doesn't give any guarantees about it's
future versions, I'd have to constantly keep auditing the new versions
to make sure they hadn't added more bugs.
Anyway, it's OTP code didn't look bad. That would be the easiest way to
get it working.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20040518/5e629b56/attachment-0001.bin>
More information about the dovecot
mailing list