search for: totp

On Mon, 20 Feb 2023 at 20:03, Jochen Bern <Jochen.Bern at binect.de> wrote: > A quick question, if I may: Today, I heard a rumour that "ssh" can be > used as a TOTP *token* (i.e., accept or generate a secret for a > configuration and generate TOTP codes from there on out, to be entered > into some *other* software requesting them for 2FA). I'm not aware of any way that ssh(1) can act as a TOTP (ie RFC6238 or similar). As you point out sshd can use...

A quick question, if I may: Today, I heard a rumour that "ssh" can be used as a TOTP *token* (i.e., accept or generate a secret for a configuration and generate TOTP codes from there on out, to be entered into some *other* software requesting them for 2FA). All I could find on the web so far are how-tos to a) make ssh*d* request and verify TOTP codes (usually with the help of P...

...rough dovecot. Before I get too far down the fantasy design path, I'm wondering if anyone else has already done this and could share some details or code. (I loaded up the subject line with acronyms to show how serious I am. :-)) I am specifically thinking of two-factor authentication using TOTP (time-based one-time passwords) as described in RFC-6238. Those are the ones compatible with Google Authenticator and compatible apps. I already am a user of those at several sites. Some of them don't have a separate opportunity to enter the 6-digit code. Instead, you append the 6-digit co...

I would have to also hack the email client since I don't enter my 20 character high entropy password when I send or retrieve email. You really need an email standard to integrate TOTP. To be realistic, you need Gmail to use it. Whatever Gmail wants is essentially a defacto standard. I live in the real world, so whatever Google wants, I comply. ? Original Message ? From: jtam.home at gmail.com Sent: October 27, 2020 3:57 PM To: dovecot at dovecot.org Subject: Re: SV: Lo...

And which email clients can do this? A defacto standard needs to be adopted. If I don't provide SPF or DKIM, I am likely to be deemed spammy, hence a defacto standard has been established. I don't see this with TOTP. I'm all for TOTP, but I'm not going to code my own. ? Original Message ? From: sebastian at sebbe.eu Sent: October 27, 2020 5:56 PM To: dovecot at dovecot.org Reply-to: dovecot at dovecot.org Subject: SV: SV: Looking for a guide to collect all e-mail from the ISP mail server...

To radically cut down on SSH log spam you can also hide it completely behind a firewall, and allow access only by some port knocking sequence. I quite like having a process listen on port 53 and wait for a dns query containing a totp string to grant (temporary) access; that's a 2fa, and doing a "host 123456. my-ip" is easily automated in a shell script as well...

1: I meant like this: Without whitelisting, you can't login to SMTP or IMAP, password isn't valid at all. To enable SMTP and IMAP, you then either surf ro webmail, or the 2FA gateway, and login with: Username + password + 2FA code + captcha. When all is valid, then your IP is whitelisted for SMTP and IMAP access. This still means you have to use usename/password for SMTP/IMAP. So how

Hello all, I'm trying to get a properly working MFA solution working with our ssh servers. I have it working wonderfully well with duo until ssh keys are added to the mix. As I understand it, using keys results in the PAM stack not getting called and thus something like pam_duo never get's a chance to work in that scenario. I'm aware that I can use something like "ForceCommand

...check these factors, but now, I have some options for the following, and I need to know your opinion if this is feasible or not. I want to use google authenticator Debian package (support the HMAC- Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP)) The challenge would be send via XMPP. This second part is fairly easy to do, I have all the packages on Debian, for instance sendxmpp. The first tests are promising. In case of success, the IP address is added to the list, let's say for one month... My back-end for authentication is OpenLD...

...be possible to rely only on public-key signing instead? I already carry around a physical device with a public/private keypair in it, and I need that for SSH public-key authentication anyway. To avoid replay attacks, the signed data needs to be an ever increasing counter or timestamp a'la HOTP/TOTP. I think this could be a good builtin functionality of OpenSSH, it already has all of the public/private key trust infrastructure available, what is missing is just the plumbing to connect it the firewall. Maybe it could go into a separate binary and not in the default sshd though. How about a s...

On Tue, 27 Oct 2020, Sebastian Nielsen wrote: > Kind of stupid that there doesn't exist some common standard for 2FA that > works in email clients. You can bodge it for HOTP/TOTP hardware token generators. Dovecot allows custom plugins to check passwords. The plugin can take passwords of the form {password}+{2fa-token}, then split each part to check against authentication systems to check validity. Joseph Tam <jtam.home at gmail.com>

Hey all, has anyone ever successfully implemented some form of OTP system with dovecot? Im looking at setting up an OATH/HOTP-TOTP based OTP for our services, but the webmail service (which uses dovecot) is a difficult one. Any info on implementations would be appreciated, Regards, Cor

...H_CERT=="valid") and (AUTH_USER==Username) then user is authenticated 3 If (AUTH_CERT=="valid") and (AUTH_USER<>Username) then authentication is rejected (User a tries to logon as User B) 4 If (AUTH_CERT<>"valid) we calculate the current OATH value for Usernames TOTP-token and compare that with the provided password. The last step is the reason why we are using a checkpassword script. Our smartphone users cannot use a smartcard but enter a password that was created by an OTP generator, so programming my own checkpassword script was my only option. AUTH_USER c...

On 04.07.24 01:41, Manon Goo wrote: > - some users private keys are lost Then you go and remove the corresponding pubkeys from wherever they're configured. Seriously, even if you do not scan which pubkey is configured where *now* (as is part of our usual monitoring), it'll be your "number <3" task *then* to go hunt it down. > And you want to lock down the sshd

I know that there are some methods to use federated identities (e.g. OAuth2) with SSH authentication but, from what I've seen, they largely seem clunky and require users to interact with web browsers to get one time tokens. Which is sort of acceptable for occasional logins but doesn't work with automated/scripted actions. I'm just wondering if anyone has done any work on this or

There has been some good discussion around our IBM security team as to what actually constitutes SSH multi factor authentication. There are 2 options being discussed. One, the Google Authenticator (OTP authentication). Two, Public/Private key authentication (pubkeyauthentication = yes) which supports pass phrase private key authentication. Which of these is considered multi-factor

https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Bug ID: 3439 Summary: identify password prompts Product: Portable OpenSSH Version: v9.0p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at

On 18.03.23 14:34, David Lang wrote: > modern syslog daemons (including rsyslog, which is default on just > about every linux system) allow you to filter efficiently on the > message contents, not just the severity, so you can opt to throw out > the messages you don't want. > > I advocate for a slightly different way of dealing with it, filter > these messages from

Dear all, what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice. Is there a

...ble to rely only on public-key signing |instead? I already carry around a physical device with a public/private |keypair in it, and I need that for SSH public-key authentication anyway. |To avoid replay attacks, the signed data needs to be an ever increasing |counter or timestamp a'la HOTP/TOTP. | |I think this could be a good builtin functionality of OpenSSH, it |already has all of the public/private key trust infrastructure |available, what is missing is just the plumbing to connect it the |firewall. Maybe it could go into a separate binary and not in the |default sshd though. H...