dovecot - Mar 2013 - Logon with Client Certificate and OTP fallback

Dear Dovecot experts,

we have unusual authentication requirements, namely:

- almost all of our user are using a smartcard to connect
with our mailserver. Thunderbird is our friend here as it will
use the smartcard as an additional certificate store and
Thunderbird will do client certificate based authentication
when connecting via SSL with a mailserver

- there's no way (at least that I know of) for our iPad users
to use a smartcard, so our iPad and iPhone users use
OTP token (http://www.gooze.eu/catalog/otp-tokens-oath-0)

For 10 years we are using a very simple POP3-server where
I replaced the authentication routines with my own functions
and these function are doing the following:

1) if the connection was made without SSL refuse to connect
2) if the client was using a client certificate extract the username
from the certificate. Since we cannot stop Thunderbird from
sending a username/passowrd-combination we compare the
username from the certificate with the username Thunderbird has
sent. If the usernames matches we allow access and ignore
the password.
3) if the client did not sent a client certificate we calculate the
current OneTimePassword of the users OTP-token and compare
that with the password Thunderbird has sent. If the passwords matches
we allow access. If a OTP-password was validated it can be used
for 24 hours so our OTP-users must use their tokens only once a day.

Now we would like to switch from POP3 to IMAP, so here are my
questions:

- can Dovecot be CONFIGURED to do the above. I compiled it yesterday
and SSL client authentication works as expected. OTP seems to be
supported via PAM and I can write a PAM-modul for our OTP-tokens,
so OTP would be possible too. But how do I tell Dovecot to do
OTP-auth as a fallback for ClientCert-auth.

- I already looked into the sourcecode of Dovecot. Seems like all the
authentication routines were built as pluggable modules. Is there any
documentation out there on how how to built my own auth-module.
Integrating the OTP-auth directly into Dovecot would be a lot
easier (for me) than creating a PAM-module, so I would prefer that.
If there was interest from other people I would add some configuration
options to Dovecot (for example the location of the OTP-token list).
Otherwise I would just hardcode everything into the source.

Peter

Am 10.03.2013 11:28, schrieb dovecot.pkoch at dfgh.net:
> Dear Dovecot experts,
> 
> we have unusual authentication requirements, namely:
> 
> - almost all of our user are using a smartcard to connect
> with our mailserver. Thunderbird is our friend here as it will
> use the smartcard as an additional certificate store and
> Thunderbird will do client certificate based authentication
> when connecting via SSL with a mailserver
> 
> - there's no way (at least that I know of) for our iPad users
> to use a smartcard, so our iPad and iPhone users use
> OTP token (http://www.gooze.eu/catalog/otp-tokens-oath-0)
> 
> For 10 years we are using a very simple POP3-server where
> I replaced the authentication routines with my own functions
> and these function are doing the following:
> 
> 1) if the connection was made without SSL refuse to connect
> 2) if the client was using a client certificate extract the username
> from the certificate. Since we cannot stop Thunderbird from
> sending a username/passowrd-combination we compare the
> username from the certificate with the username Thunderbird has
> sent. If the usernames matches we allow access and ignore
> the password.
> 3) if the client did not sent a client certificate we calculate the
> current OneTimePassword of the users OTP-token and compare
> that with the password Thunderbird has sent. If the passwords matches
> we allow access. If a OTP-password was validated it can be used
> for 24 hours so our OTP-users must use their tokens only once a day.
> 
> Now we would like to switch from POP3 to IMAP, so here are my
> questions:
> 
> - can Dovecot be CONFIGURED to do the above. I compiled it yesterday
> and SSL client authentication works as expected. OTP seems to be
> supported via PAM and I can write a PAM-modul for our OTP-tokens,
> so OTP would be possible too. But how do I tell Dovecot to do
> OTP-auth as a fallback for ClientCert-auth.
> 
> - I already looked into the sourcecode of Dovecot. Seems like all the
> authentication routines were built as pluggable modules. Is there any
> documentation out there on how how to built my own auth-module.
> Integrating the OTP-auth directly into Dovecot would be a lot
> easier (for me) than creating a PAM-module, so I would prefer that.
> If there was interest from other people I would add some configuration
> options to Dovecot (for example the location of the OTP-token list).
> Otherwise I would just hardcode everything into the source.
> 
> Peter
> 
try read

http://wiki2.dovecot.org/PasswordDatabase/PAM

...
This can be useful with e.g. pam_opie to find out which one time
password you're supposed to give:

1 LOGIN username otp
1 NO otp-md5 324 0x1578 ext, Response:
...


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstra?e 15, 81669 M?nchen

Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich

On 10.3.2013, at 12.28, dovecot.pkoch at dfgh.net wrote:
> For 10 years we are using a very simple POP3-server where
> I replaced the authentication routines with my own functions
> and these function are doing the following:
> 
> 1) if the connection was made without SSL refuse to connect
> 2) if the client was using a client certificate extract the username
> from the certificate. Since we cannot stop Thunderbird from
> sending a username/passowrd-combination we compare the
> username from the certificate with the username Thunderbird has
> sent. If the usernames matches we allow access and ignore
> the password.
> 3) if the client did not sent a client certificate we calculate the
> current OneTimePassword of the users OTP-token and compare
> that with the password Thunderbird has sent. If the passwords matches
> we allow access. If a OTP-password was validated it can be used
> for 24 hours so our OTP-users must use their tokens only once a day.
> 
> Now we would like to switch from POP3 to IMAP, so here are my
> questions:
> 
> - can Dovecot be CONFIGURED to do the above. I compiled it yesterday
> and SSL client authentication works as expected. OTP seems to be
> supported via PAM and I can write a PAM-modul for our OTP-tokens,
> so OTP would be possible too. But how do I tell Dovecot to do
> OTP-auth as a fallback for ClientCert-auth.
Create a passdb that succeeds if user has a valid SSL client cert.
http://wiki2.dovecot.org/Variables has %k which is "valid" if client
has it set. There are several ways you can do this .. for example with sqlite do
a SELECT that checks for %k. Another possibility is a checkpassword script.

The secondary passdb would then be the OTP.
> - I already looked into the sourcecode of Dovecot. Seems like all the
> authentication routines were built as pluggable modules. Is there any
> documentation out there on how how to built my own auth-module.
> Integrating the OTP-auth directly into Dovecot would be a lot
> easier (for me) than creating a PAM-module, so I would prefer that.
> If there was interest from other people I would add some configuration
> options to Dovecot (for example the location of the OTP-token list).
> Otherwise I would just hardcode everything into the source.
See how the auth process already can build an ldap plugin. For outside sources
you can build auth plugins the same way as any other plugins.
http://dovecot.org/patches/ has many such example plugins. Or see how Pigeonhole
does it with autotools.