-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Mon, 23 Jul 2007, Frank Behrens wrote:
Solution 1:
When PAM is configured for IMAP the user can use a one-time-password in the
same way
as before. The problem is, that the user must know the sequence number for the
password
(otp challenge), so we need a way to display it. The PAM module supplies the
otp challenge
in the conversation function, but the challenge is not processed by the IMAP
server.
My proposal: The IMAP server stores the challenge from the conversation
function and
includes it in the LOGIN response, when the login was not successful. So a user
can try a
login with a wrong dummy password and get knowlegdge about the current otp
sequence.
You mean, the client issues LOGIN (with a dummy password), because Dovecot
needs to aquire the OTP challenge first, this LOGIN attempt is failed,
but the username can be used to aquire the OTP challenge. It is reported
back, via the LOGIN failure string and, secondly, another LOGIN attempt
is sent, this time with the same username and a real password.
I guess, you'll need to tweak the webmail interface a bit, that this
sequence is working well.
There are time-related OTPs, where the sequence number is derived from the
current time. When a client tries a logon, the server calculates plenty of
OTPs in the "near" of the current time and adjust itself to the client, in
case the device's clock is running too slow or fast.
I would say, this kind is more suitable for this purpose. However, one requires
some sort of electronical device for it.
Solution 2:
Webmail clients do not use persistent connections in most cases. A OTP login
needs
different passwords for every displayed web page.
My proposal: Use dovecot's login cache and do not ask the os for every login.
:-)
This will definitely a must then.
Solution 3:
My proposal: Create a new IMAP command "XSETREMOTEIP". With this IMAP extension
a
client can set the real IP address of remote client. The access to this command
is restricted
to the webserver with a new configuration parameter "trusted clients", which
holds an IP
address with mask.
Hmm, any clients accessing webmail via the same proxy or from the same
NATed organisation will use the same IP, dial-up IPs switch the users more
often than anything else. I don't think that restricting by IPs you have
no knowlegde about is save.
Bye,
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBRrgspy9SORjhbDpvAQIJmAgA06boNvZrFTS4kNyky6ywUiYv9CHu99tI
GT4iQNezyZz0PensPgGJp6ZAJGDdlAZ1ZxWBth1JCvpVZSBCwnbmbEbWnYtCi9OR
v/eynzRFta/11nFy0+AB1Pf2BuoFFPtXy+hC6DnpPcLutD4Q+bvm3Kqdry72PmyQ
lBUg8TxTwuDZ0sY0TTAP6VaJCmTG1RvnC5dZp4f6C3yN7kwXbcgS1rkHGr8V6Frs
z9ZXMkRYUCpG/ufCQqFB9YTAAOxWM8DrKsmQZNClmkypc+q+v0w11BfcF6SK7v9I
cdQqSca7AmXR4q2UYoyvAGGn7rF0cDJJXKI0iQWfWr2nchnx0/PoUA==
=wZxi
-----END PGP SIGNATURE-----
