Hello, I was wondering where I might find more information about using OTP as an authentication protocol with dovecot. In searching, I found a thread from 2004, but not much information about how it has progressed from then. I also saw some promising patches from mid-last year, which if I had to guess are probably the addition of support for the SASL OTP mechanism. Is this available in a release yet? (And, also: does anyone know of Linux mail clients that support the OTP SASL mechanism? I'm hoping Thunderbird might...). If not, is it possible to make it work currently with PAM (or, if that's not possible, maybe Cyrus SASL)? It would be okay with me if it can work with PAM but not prompt with the seed/series number: I can scratch off keys no prob. I tried briefly to get it to work through PAM, and in fact opieinfo told me that the series was being decremented, but auth.log gives Feb 6 15:41:46 mabruk dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=x.x.x.x user=micah ssh works fine with the same PAM settings (both include common-auth, which has:) auth sufficient pam_opie.so auth sufficient pam_unix.so nullok_secure auth required pam_deny.so -- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer... http://micah.cowan.name/
On 7.2.2007, at 2.12, Micah Cowan wrote:> I was wondering where I might find more information about using OTP > as an authentication protocol with dovecot. In searching, I found a > thread from 2004, but not much information about how it has > progressed from then. I also saw some promising patches from mid- > last year, which if I had to guess are probably the addition of > support for the SASL OTP mechanism. Is this available in a release > yet? (And, also: does anyone know of Linux mail clients that > support the OTP SASL mechanism? I'm hoping Thunderbird might...).CVS HEAD version has support for OTP SASL mechanism. I don't know how exactly it works though, it was implemented by Andrey Panin.> If not, is it possible to make it work currently with PAM (or, if > that's not possible, maybe Cyrus SASL)? It would be okay with me if > it can work with PAM but not prompt with the seed/series number: I > can scratch off keys no prob.If it works with PAM, it's via a plaintext auth mechanism (PLAIN or LOGIN) which just updates the used OTP number. I don't really know about that either.. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070207/6d777ac7/attachment.bin>
Micah Cowan wrote:> mechanism. Is this available in a release yet? (And, also: does anyone > know of Linux mail clients that support the OTP SASL mechanism? I'm > hoping Thunderbird might...).I don't know of any Linux-based email clients that support SASL OTP. Fetchmail is the only mail-like - not a client obviously - that does from memory. But Thunderbird definitely doesn't work with OTP - http://en.wikipedia.org/wiki/Comparison_of_email_clients#Authentication_Support. Though from memory there is a commercial solution to integrate Firefox/Thunderbird with OTP (maybe from ActivIdentity?) but not sure how it works its magic. Regards James Turnbull -- James Turnbull <james at lovedthanlost.net> --- Author of Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) Hardening Linux (http://www.amazon.com/gp/product/1590594444/) --- PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 250 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20070207/af460c66/attachment.bin>
On February 6, 2007 4:12:02 PM -0800 Micah Cowan <micah at cowan.name> wrote:> I was wondering where I might find more information about using OTP as an > authentication protocol with dovecot.I found that some (all?) clients login multiple times in a single user visible "session". This makes sense for multithreaded clients, I guess. So having dovecot do OTP directly is a bit of a chore. What I did was use the auth cache so that an OTP is valid for x amount of time. Works like a charm. I'm just using PAM with pam_otp_auth (www.tri-dsystems.com). A better solution might be to require an OTP-authenticated VPN session to get to the IMAP server. -frank