[Dovecot] Ideas for Webmail/OTP
Frank Behrens
frank at pinky.sax.de
Tue Jul 24 15:31:14 EEST 2007
Jasper Bryant-Greene <jasper at albumltd.co.nz> wrote on 24 Jul 2007 23:40:
> a) provide the otp sequence as a capability (e.g. X-OTP-SEQ=1234), or
>
> b) provide a dovecot-specific IMAP command for finding out the current
> sequence value (e.g. X-OTP-SEQ)
>
> The sending of a dummy password to retrieve the LOGIN response seems like a
> bit of a hack (no offense to Frank - I'm keen to see this OTP idea
> implemented), but again, the above is written without much knowledge of the
> IMAP protocol.
The problem is, that the OTP sequence is user dependent. When you use PAM you can't
determine, if a user uses OTP until you try a login (you call pam_authenticate()).
There is a existing mechanism in IMAP: SASL with OTP. But in that case you can not use the
operating system configuration with PAM, but the IMAP server must handle the OTP
challenge itself. I believe this is integrated in new dovecot 1.1 version. A problem with this
setup is, that you need special support by a webmail client. I did'nt find any (easy) solution
with suport for it, with the exeption of an extra IMAP-OTP-proxy server.
Or another view: Until now dovecot (and I believe nearly all other IMAP servers) use PAM in
a restricted form only. PAM means
- you define all login capabilities and security restrictions and databases in the operating
system.
- when you try to authenticate a user, the PAM module requests the information via
callbacks. That means a prompt is displayed for user name, user name is passed to PAM.
Then a prompt for password is displayed, the password is passed to PAM. Theoretically this
can be continued. With traditional IMAP LOGIN (I do not speak about SASL) the client
supplies username and password together and this must be mapped to the callback
sequence. Here the PAM prompts are ignored and in case for OTP they contain important
information. My (probably non standard IMAP) extension creates the possibility to return the
PAM callback message to the user.
When you thing about it: A webmail client and the different IMAP login mechanisms fit not
very well together. So some posters are right: you should better use a "real" IMAP client. But
IMHO webmail is a useful solution, when you are on vacation or business travel and want to
acces your email. And together with one time passwords the security risk is not too high, so
you can use it.
Regards,
Frank
--
Frank Behrens, Osterwieck, Germany
PGP-key 0x5B7C47ED on public servers available.
More information about the dovecot
mailing list