After giving this some thought and taking a step back I followed Rick
Romeros advice and I think I have a working proof of concept on my test
server :-)
Here are the steps I have followed, I am interested in hearing peoples
thoughts on this or some feedback:
1) Created an extra column in my users tables that does authentication
and added a second password. The table looks like this now after running
the SQL statements to create the column and add a second password for my
account:
ALTER TABLE virtual_users ADD travel_password VARCHAR(106);
UPDATE mailserver.virtual_users SET
travel_password=ENCRYPT('newpassword',concat('$6$',substring(sha(rand()), -16)))
WHERE email='[email protected]';
+----+-----------------+--------------------------------------------------------------------------+---------------------------------+-------------------------+
| id | domain_id | password | email
| travel_password | <------- This end column
is new
+----+------------------+------------------------------------------------------------------------------------------------------------+-------------------------+
| 6 | 1 | $6$8e5d84a4ee689211$f
| [email protected] | $6$56095ed3867|
+----+-----------------+--------------------------------------------------------------------------+----------------------------------+-------------------------+
NB: I have shortened the passwords for readability
2) I then edited the password_query in
/usr/local/etc/dovecot/dovecot-sql.conf.ext for Dovecot to:
password_query = SELECT email as user, if('%r' = '127.0.0.1' AND email
='[email protected]', travel_password,password) as password FROM
virtual_users WHERE email='%u';
and restarted Dovecot
This seems to be working as I would expect it to :-) If I login to
Roundcube as [email protected] with my travel_password it logs me in. If I
login as the same user but use the "normal" password it doesn't log me
in. If I use Thunderbird I can only use the "normal" password (using the
travel_password fails as I would expect it to).
So now I can login from an untrusted internet cafe machine, and they can
record my login credentials and my mailbox will be safe! When I use
Roundcube, the OTP AND the travel_password are required for login. Since
the hacker can't reuse the OTP, the login details are safe. They also
can't use the travel_password for IMAP access.
I realise this is a bit of a hack and only works for a handful of users
but for my setup it (seems) perfect!
Comments and feedback are welcome! Thanks Rick and to everyone for their
valuable input.
On 06/05/2014 13:38, SIW wrote:
Hi Benjamin
Thanks for your input.
I guess I need to take a step back and define some requirements.
Currently I have too many options running through my head which has
overwhelmed me and is not helping! You are correct in saying that the
subject of this post is now incorrect. Maybe is should now be: Two
factor for Dovecot and Roundcube for secure remote access
First of all I don't want any of the authentication options to change
for all current users. I am the *only* user that requires secure
access to webmail while travelling overseas.
So the requirements are:
1) For all users (except myself) allow them to continue using the
system as it is
2) For me (and possibly some new users in the future), allow a secure
way of authenticating with Roundcube so that if the password is
recorded with a keylogger, access to my mailbox via IMAP is not
possible. (NB: When I say IMAP, I mean non-Roundcibe/HTTP access to my
mailbox)
3) Email clients include: Thunderbird, Outlook, K9 on Android and
Roundcube
4) Yes, I have looked at OTP for Roundcube and currently use Googles
Authenticator which works nicely in securing Roundcube ONLY. The OTP
AND password is required to login. The OTP is generate on my Android
phone.
From what I have gathered, the options for securing logging in from an
untrusted machine are:
1) Use throw away passwords - ie: passwords that can only be used once
and can ONLY be used for logging into Roundcube
2) Use OTP for Dovecot AND Roundcube - I have no idea how to do this
3) Have a copy of my mailbox (that gets synced with a cron job) and
have a completely separate login to access this mailbox. This login
will ONLY be used when using Roundcube from an untrusted machine and
will NOT be allowed IMAP access (this can be done in the
password_query I think). Or use two login accounts to the same mailbox
maybe but one account is used for travelling and can't access IMAP?
The important thing here is that if/when the password gets recorded
while logging into Roundcube that it can NOT be used to access my
mailbox from (say) Thunderbird. Also OTP should not be enforced for
the other users (ie: it should be optional).
Does that clarify? Sorry if I'm all over the place but there doesn't
seem to be a clear/simple way to achieve what I want. Feel free to ask
me more questions and I will try my best to answer so that it
clarifies things.
Thank you.
PS: Regarding USB virtual keyboards (like Yubikey), I'd like to avoid
them if possible as you can't always connect a USB device to a machine
in an internet cafe (sometimes they physically lock the USB ports so
they can't be used).
On 06/05/2014 08:44, Benjamin Podszun wrote:
On Tuesday, May 6, 2014 9:26:54 AM CEST, SIW wrote:
I haven't considered Yubikey but I was considering this:
http://www.s-crib.com/
I'm not sure if these USB virtual keyboards are the best option as
some internet cafes won't let you plug in USB devices or you don't
have the rights to install it (I know they say it doesn't require
drivers but some machines are locked down good)
I'd be surprised if these machines wouldn't support plain USB
keyboards. Probably the keyboard you'll use at these machines isn't
PS/2 anymore..
From what I have read it sounds like I need to have two passwords
for one login...one for Roundcube (with OTP) and one for IMAP
access. I think the key to this is to ONLY allow the IMAP password
to be used with IMAP and for the Roundcube password (with OTP) to
ONLY have access to Roundcube. That way if the Roundcube password
gets recorded/keylogged then they can't use it with IMAP. Is this
possible? (ie: bind/enforce a particular password to one type of
service)
I think you're confused. Take a step back. You came with a ~strange~
requirement (see subject, by now you understand that 'disable imap
for one user' isn't what you want). You provided not enough details
to proceed and I think you are still not quite sure what you want to
do here.
The thought process you outline above isn't clear. I _assume_ (note:
Please confirm/deny) you looked at OTP solutions that are roundcube
only, i.e. that are implemented in PHP. That'd mean that there's no
OTP support in your dovecot setup and plain/direct imap connections
use nothing but your regular password. Furthermore it seems that you
confuse/mix OTPs with two-factor authentication and assume the latter
with the Roundcube-only setup I believe to understand above. That is,
you log in to your Roundcube site with
- your regular password AND
- something else (call it OTP)
Only under these circumstances it makes sense that you consider OTPs
to be broken for your threat model: A keylogger has now your regular
password and a useless OTP, but needs only the regular password for
dovecot because the OTP support is bolted on/a hack in the wrong place.
I still think you want OTP support in dovecot itself. It might be
possible to hack the Roundcube thing (still leaning heavily on my
assumptions above) to require _just_ a OTP, but that'd require
Roundcube to be able to login without you transmitting your real
password. That'd fix the hack for 'someone logged my keys', but isn't
much of an improvement overall.
Another option, is it possible to have my main account and use it
with IMAP but have a SECOND set of login credentials that I only use
for Roundcube but can access my mailbox of the the other account?
Yes, that would be possible and I pointed to a specific part of the
documentation for that. You could, without too much effort, support
accounts with multiple passwords, whatever that would be good for.
I'm still battling with this!
See above: Please reflect a moment, check the facts you provided and
fill in the missing details.
