Hi, From: "Jason R. Mastaler" Subject: Re: tmda-ofmipd: patch for imap[s] and pop3 remote auth Date: Tue, 03 Sep 2002 18:41:56 -0600
> [EMAIL PROTECTED] writes: > > > For the user to send tmda-ofmipd this hashed value, doesn't the user > > need to have access to the one-time challenge string from the pop > > server? > > No, this is all negotiated by the client (e.g, Eudora, tmda-ofmipd). > The user just needs to know his "shared secret" which is substituted > for his plaintext password. > > See http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1460.html for more > about APOP. Thanks for the link -- the relevant section starts on page 12, right? I'm getting the feeling that I'm confused about how tmda-ofmipd works as I've manually walked myself through APOP authentication sessions in the past to understand it -- computing the hashed value using Python to hand to the server-- i.e. I'm pretty confident that I understand how APOP works. My current understading (based on past mailing list discussions and http://tmda.net/tmda-ofmipd.html) is that tmda-ofmipd basically speaks a form of SMTP w/ authentication. As I understand it, in order for a client that connects to tmda-ofmipd to be able to use the APOP form of authentication, it would need to somehow obtain what is referred to as a timestamp in the aforementioned document: A POP3 server which implements the APOP command will include a timestamp in its banner greeting. The syntax of the timestamp corresponds to the "msg-id" in [RFC822], and MUST be different each time the POP3 server issues a banner greeting. After obtaining this timestamp: The POP3 client makes note of this timestamp, and then issues the APOP command. The "name" parameter has identical semantics to the "name" parameter of the USER command. The "digest" parameter is calculated by applying the MD5 algorithm [RFC1321] to a string consisting of the timestamp (including angle-brackets) followed by a shared secret. So, how does the client's software obtain this timestamp when connecting to tmda-ofmipd -- and how is it that the client would know to perform: MD5(timestamp + secret) given that it thinks it is speaking SMTP AUTH? I feel like I'm missing something obvious... > Do you think you might have use for APOP support in tmda-ofmipd? If > so, I can try and hack it in. I would for sure [1]! I'm still confused about how it would work though. [1] I doubt I'm the only admin on the planet who only allows APOP access to the pop server (-; _________________________________________________ tmda-workers mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-workers
