André Rodier
2019-Apr-03 06:16 UTC
TFA authentication in dovecot, using XMPP and RFC 4226
Hello, I would like to implement some kind of two factors authentication, in Dovecot. I am thinking about using the post login script, to check for unusual behaviour, like say, a different country / IP address or an unusual hour. I already wrote a simple shell script that check these factors, but now, I have some options for the following, and I need to know your opinion if this is feasible or not. I want to use google authenticator Debian package (support the HMAC- Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP)) The challenge would be send via XMPP. This second part is fairly easy to do, I have all the packages on Debian, for instance sendxmpp. The first tests are promising. In case of success, the IP address is added to the list, let's say for one month... My back-end for authentication is OpenLDAP. My questions are: - Do you see any performance issues for other users or login processes, if I implement this? - I am planning to use a timeout, for instance one minute to confirm the connection. Does Dovecot have a timeout on its side, that would abort the connection before? Otherwise: - Is it possible to have multiple authentication back-ends in Dovecot? For instance LDAP and/or OTP? - I think to have seen some TFA options in Dovecot, but AFAICS, they are mandatory. Thanks for your insights, and this fabulous software. -- Andr? Rodier HomeBox: https://github.com/progmaticltd/homebox
Michael Peddemors
2019-Apr-03 16:14 UTC
TFA authentication in dovecot, using XMPP and RFC 4226
The issue related to plugins that use or advertise other capabilities, is that is has to have a hook to modify what's advertised. We are having that same challenge where we use CLIENTID as a component for two factor as well, but of course the important thing before we can release the plugin, is for the ability for plugins to "advertise" capabilities. Still waiting for that to get the green light on our patch, so we can publish some of our plugins related to this, and other things that require the ability to advertise the capability string. Variable Capabilities Patch https://github.com/dovecot/core/pull/86 As an aside, another aggressive botnet launched on April 1st, trying to test all the information in the large breached data, appears to be 'verifications.io' breach.. As long as these types of breaches occur, we need more universal methods for two factor.. hoping to see movement on that pull request, so we can share more of what we are doing in our custom environments. On 2019-04-02 11:16 p.m., Andr? Rodier via dovecot wrote:> Hello, > > I would like to implement some kind of two factors authentication, in > Dovecot. > > I am thinking about using the post login script, to check for unusual > behaviour, like say, a different country / IP address or an unusual > hour. > > I already wrote a simple shell script that check these factors, but > now, I have some options for the following, and I need to know your > opinion if this is feasible or not. > > I want to use google authenticator Debian package (support the HMAC- > Based One-time Password (HOTP) algorithm specified in RFC 4226 and the > Time-based One-time Password (TOTP)) > > The challenge would be send via XMPP. This second part is fairly easy > to do, I have all the packages on Debian, for instance sendxmpp. The > first tests are promising. > > In case of success, the IP address is added to the list, let's say for > one month... > > My back-end for authentication is OpenLDAP. > > My questions are: > > - Do you see any performance issues for other users or login processes, > if I implement this? > - I am planning to use a timeout, for instance one minute to confirm > the connection. Does Dovecot have a timeout on its side, that would > abort the connection before? > > Otherwise: > > - Is it possible to have multiple authentication back-ends in Dovecot? > For instance LDAP and/or OTP? > - I think to have seen some TFA options in Dovecot, but AFAICS, they > are mandatory. > > Thanks for your insights, and this fabulous software. >-- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.