On Monday, May 5, 2014 11:49:52 PM CEST, SIW wrote:
I'm beginning to wonder if I am going about this all wrong :-)
No offense: I'm thinking the same thing. ;-)
Would it not be easier/better to leave all IMAP/SMTP access in
place (for all users) and then just use "one time throw away
passwords" for logging in from an internet cafe with Roundcube?
YES!
Yes, that should be possible. It seems that [1] says that dovecot supports
OTP and S/Key by default, using PAM would allow you to use more than that
(i.e. plug in a yubikey or whatever). Obviously moving to PAM might not be
an option with your virtual users.
Can this be done? So after you login it just deletes the
password you have logged in with. Can you have one username with
many (throw away) passwords? But keep one password that is used
for IMAP/Thunderbird as you don't want that password being
deleted/removed from the system!
Well, you certainly can have multiple passwords per user as far as I can
tell: [2] lists ways to do the 'password verification by sql server' and
that should allow you to have a way to switch between different passwords
for the same user. That said, that still sounds .. not that nice. The best
way would be to support two-factor/OTP in dovecot itself and while the
latter is documented as 'supported' (again, see [1]), the documentation HOW
that is going to work seems to be missing. [3]
At the moment I'd say your best bet would be to wait for some dovecot
developers to chime in and help with the OTP or S/Key stuff. Messing with
the SQL Query is a hack, ugly and .. well: You still leak your password, if
password/otp is 'Roundcube only'.
On a sidenote: This guy [4] isn't you, is it? Seems like someone's
evaluating the same thing (with the same threat model) just now.
Ben
1: http://wiki2.dovecot.org/Authentication/Mechanisms
2: http://wiki2.dovecot.org/AuthDatabase/SQL
3: And boy is searching the wiki evil and .. unintuitive..
4: https://forums.freebsd.org/viewtopic.php?f=43&t=45341
