search for: totps

On Mon, 20 Feb 2023 at 20:03, Jochen Bern <Jochen.Bern at binect.de> wrote: > A quick question, if I may: Today, I heard a rumour that "ssh" can be > used as a TOTP *token* (i.e., accept or generate a secret for a > configuration and generate TOTP codes from there on out, to be entered > into some *other* software requesting them for 2FA). I'm not aware of any way

A quick question, if I may: Today, I heard a rumour that "ssh" can be used as a TOTP *token* (i.e., accept or generate a secret for a configuration and generate TOTP codes from there on out, to be entered into some *other* software requesting them for 2FA). All I could find on the web so far are how-tos to a) make ssh*d* request and verify TOTP codes (usually with the help of PAM)

I'd like to start offering my server's users multi-factor authentication. Right now, I funnel all authentication through dovecot. Before I get too far down the fantasy design path, I'm wondering if anyone else has already done this and could share some details or code. (I loaded up the subject line with acronyms to show how serious I am. :-)) I am specifically thinking of

I would have to also hack the email client since I don't enter my 20 character high entropy password when I send or retrieve email. You really need an email standard to integrate TOTP. To be realistic, you need Gmail to use it. Whatever Gmail wants is essentially a defacto standard. I live in the real world, so whatever Google wants, I comply. ? Original Message ? From: jtam.home at

And which email clients can do this? A defacto standard needs to be adopted. If I don't provide SPF or DKIM, I am likely to be deemed spammy, hence a defacto standard has been established. I don't see this with TOTP. I'm all for TOTP, but I'm not going to code my own. ? Original Message ? From: sebastian at sebbe.eu Sent: October 27, 2020 5:56 PM To: dovecot at

To radically cut down on SSH log spam you can also hide it completely behind a firewall, and allow access only by some port knocking sequence. I quite like having a process listen on port 53 and wait for a dns query containing a totp string to grant (temporary) access; that's a 2fa, and doing a "host 123456. my-ip" is easily automated in a shell script as well...

1: I meant like this: Without whitelisting, you can't login to SMTP or IMAP, password isn't valid at all. To enable SMTP and IMAP, you then either surf ro webmail, or the 2FA gateway, and login with: Username + password + 2FA code + captcha. When all is valid, then your IP is whitelisted for SMTP and IMAP access. This still means you have to use usename/password for SMTP/IMAP. So how

Hello, I would like to implement some kind of two factors authentication, in Dovecot. I am thinking about using the post login script, to check for unusual behaviour, like say, a different country / IP address or an unusual hour. I already wrote a simple shell script that check these factors, but now, I have some options for the following, and I need to know your opinion if this is feasible or

On Tue, 27 Oct 2020, Sebastian Nielsen wrote: > Kind of stupid that there doesn't exist some common standard for 2FA that > works in email clients. You can bodge it for HOTP/TOTP hardware token generators. Dovecot allows custom plugins to check passwords. The plugin can take passwords of the form {password}+{2fa-token}, then split each part to check against authentication systems to

Hey all, has anyone ever successfully implemented some form of OTP system with dovecot? Im looking at setting up an OATH/HOTP-TOTP based OTP for our services, but the webmail service (which uses dovecot) is a difficult one. Any info on implementations would be appreciated, Regards, Cor

Dear dovecot experts: We are using client certificates to authenthicate against a Dovecot server. Our certificates contain a x500UniqueIdentifier. I'm absolutely sure that the value of the x500UniqueIdentifier was stored into the AUTH_USER when I tested my setup last year. This has somehow changed and now AUTH_USER always contains the username. This has fatal consequences as now every owner

I know that there are some methods to use federated identities (e.g. OAuth2) with SSH authentication but, from what I've seen, they largely seem clunky and require users to interact with web browsers to get one time tokens. Which is sort of acceptable for occasional logins but doesn't work with automated/scripted actions. I'm just wondering if anyone has done any work on this or

There has been some good discussion around our IBM security team as to what actually constitutes SSH multi factor authentication. There are 2 options being discussed. One, the Google Authenticator (OTP authentication). Two, Public/Private key authentication (pubkeyauthentication = yes) which supports pass phrase private key authentication. Which of these is considered multi-factor

https://bugzilla.mindrot.org/show_bug.cgi?id=3439 Bug ID: 3439 Summary: identify password prompts Product: Portable OpenSSH Version: v9.0p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at

On 18.03.23 14:34, David Lang wrote: > modern syslog daemons (including rsyslog, which is default on just > about every linux system) allow you to filter efficiently on the > message contents, not just the severity, so you can opt to throw out > the messages you don't want. > > I advocate for a slightly different way of dealing with it, filter > these messages from

Dear all, what are the key strategies for intrusion prevention and detection with dovecot, apart from installing fail2ban? It is a pity that the IMAP protocol does not support 2 factor authentication, which seems to stop 90% of intrusion attempts in their tracks. Without it, if someone has obtained your password and reads your mail without modifying it, you will hardly ever notice. Is there a