[Dovecot] Ideas for Webmail/OTP
Jasper Bryant-Greene
jasper at albumltd.co.nz
Tue Jul 24 14:40:50 EEST 2007
On Tue, Jul 24, 2007 at 09:42:29AM +0300, Timo Sirainen wrote:
> On Mon, 2007-07-23 at 17:15 +0200, Frank Behrens wrote:
> > Solution 1:
> > When PAM is configured for IMAP the user can use a one-time-password in the same way
> > as before. The problem is, that the user must know the sequence number for the password
> > (otp challenge), so we need a way to display it. The PAM module supplies the otp challenge
> > in the conversation function, but the challenge is not processed by the IMAP server.
> > My proposal: The IMAP server stores the challenge from the conversation function and
> > includes it in the LOGIN response, when the login was not successful. So a user can try a
> > login with a wrong dummy password and get knowlegdge about the current otp sequence.
>
> I'd like to see your patch for this. I've no idea how pam_otp works.
I don't know a lot about the IMAP protocol's intricacies, but would it not be
cleaner to either:
a) provide the otp sequence as a capability (e.g. X-OTP-SEQ=1234), or
b) provide a dovecot-specific IMAP command for finding out the current
sequence value (e.g. X-OTP-SEQ)
The sending of a dummy password to retrieve the LOGIN response seems like a
bit of a hack (no offense to Frank - I'm keen to see this OTP idea
implemented), but again, the above is written without much knowledge of the
IMAP protocol.
Jasper
More information about the dovecot
mailing list