Displaying 20 results from an estimated 20 matches for "totps".
Did you mean:
tops
2023 Feb 20
1
(Open)SSH as a TOTP *Token*?
On Mon, 20 Feb 2023 at 20:03, Jochen Bern <Jochen.Bern at binect.de> wrote:
> A quick question, if I may: Today, I heard a rumour that "ssh" can be
> used as a TOTP *token* (i.e., accept or generate a secret for a
> configuration and generate TOTP codes from there on out, to be entered
> into some *other* software requesting them for 2FA).
I'm not aware of any way
2023 Feb 15
1
(Open)SSH as a TOTP *Token*?
A quick question, if I may: Today, I heard a rumour that "ssh" can be
used as a TOTP *token* (i.e., accept or generate a secret for a
configuration and generate TOTP codes from there on out, to be entered
into some *other* software requesting them for 2FA).
All I could find on the web so far are how-tos to a) make ssh*d* request
and verify TOTP codes (usually with the help of PAM)
2016 Oct 22
0
MFA 2FA TOTP razz-ma-tazz!
I'd like to start offering my server's users multi-factor
authentication. Right now, I funnel all authentication through dovecot.
Before I get too far down the fantasy design path, I'm wondering if
anyone else has already done this and could share some details or code.
(I loaded up the subject line with acronyms to show how serious I am. :-))
I am specifically thinking of
2020 Oct 27
2
SV: Looking for a guide to collect all e-mail from the ISP mail server
I would have to also hack the email client since I don't enter my 20 character high entropy password when I send or retrieve email.
You really need an email standard to integrate TOTP. To be realistic, you need Gmail to use it. Whatever Gmail wants is essentially a defacto standard. I live in the real world, so whatever Google wants, I comply.
? Original Message ?
From: jtam.home at
2020 Oct 28
1
SV: SV: Looking for a guide to collect all e-mail from the ISP mail server
And which email clients can do this?
A defacto standard needs to be adopted. If I don't provide SPF or DKIM, I am likely to be deemed spammy, hence a defacto standard has been established. I don't see this with TOTP.
I'm all for TOTP, but I'm not going to code my own.
? Original Message ?
From: sebastian at sebbe.eu
Sent: October 27, 2020 5:56 PM
To: dovecot at
2023 Mar 19
1
Minimize sshd log clutter/spam from unauthenticated connections
To radically cut down on SSH log spam you can also hide it completely behind a firewall, and allow access only by some port knocking sequence.
I quite like having a process listen on port 53 and wait for a dns query containing a totp string to grant (temporary) access; that's a 2fa, and doing a "host 123456. my-ip" is easily automated in a shell script as well...
2020 Oct 27
2
SV: Looking for a guide to collect all e-mail from the ISP mail server
1: I meant like this:
Without whitelisting, you can't login to SMTP or IMAP, password isn't valid
at all.
To enable SMTP and IMAP, you then either surf ro webmail, or the 2FA
gateway, and login with:
Username + password + 2FA code + captcha.
When all is valid, then your IP is whitelisted for SMTP and IMAP access.
This still means you have to use usename/password for SMTP/IMAP.
So how
2024 Nov 15
1
MFA and PubKeys
Hello all,
I'm trying to get a properly working MFA solution working with our ssh servers. I have it working wonderfully well with duo until ssh keys are added to the mix.
As I understand it, using keys results in the PAM stack not getting called and thus something like pam_duo never get's a chance to work in that scenario.
I'm aware that I can use something like "ForceCommand
2019 Apr 03
1
TFA authentication in dovecot, using XMPP and RFC 4226
Hello,
I would like to implement some kind of two factors authentication, in
Dovecot.
I am thinking about using the post login script, to check for unusual
behaviour, like say, a different country / IP address or an unusual
hour.
I already wrote a simple shell script that check these factors, but
now, I have some options for the following, and I need to know your
opinion if this is feasible or
2024 Jul 04
4
Request for a Lockdown option
Jochen Bern <Jochen.Bern at binect.de> writes:
> (And since you mention "port knocking", I'd like to repeat how fond I
> am of upgrading that original concept to a single-packet
> crypto-armored implementation like fwknop.)
I am reluctantly considering to use some kind of port knocking mechanism
on some machines, however I really don't want to carry around shared
2020 Oct 27
0
SV: Looking for a guide to collect all e-mail from the ISP mail server
On Tue, 27 Oct 2020, Sebastian Nielsen wrote:
> Kind of stupid that there doesn't exist some common standard for 2FA that
> works in email clients.
You can bodge it for HOTP/TOTP hardware token generators. Dovecot allows
custom plugins to check passwords. The plugin can take passwords of
the form {password}+{2fa-token}, then split each part to check against
authentication systems to
2011 Jul 10
0
OATH/OTP?
Hey all, has anyone ever successfully implemented some form of OTP system with dovecot? Im looking at setting up an OATH/HOTP-TOTP based OTP for our services, but the webmail service (which uses dovecot) is a difficult one. Any info on implementations would be appreciated,
Regards,
Cor
2014 Feb 25
0
AUTH_USER variable has invalid value in checkpassword Script
Dear dovecot experts:
We are using client certificates to authenthicate against a
Dovecot server. Our certificates contain a x500UniqueIdentifier.
I'm absolutely sure that the value of the x500UniqueIdentifier
was stored into the AUTH_USER when I tested my setup
last year.
This has somehow changed and now AUTH_USER always
contains the username. This has fatal consequences as now
every owner
2024 Jul 04
1
Request for a Lockdown option
On 04.07.24 01:41, Manon Goo wrote:
> - some users private keys are lost
Then you go and remove the corresponding pubkeys from wherever they're
configured.
Seriously, even if you do not scan which pubkey is configured where
*now* (as is part of our usual monitoring), it'll be your "number <3"
task *then* to go hunt it down.
> And you want to lock down the sshd
2024 Feb 08
2
Authentication using federated identity
I know that there are some methods to use federated identities (e.g.
OAuth2) with SSH authentication but, from what I've seen, they largely
seem clunky and require users to interact with web browsers to get one
time tokens. Which is sort of acceptable for occasional logins but
doesn't work with automated/scripted actions.
I'm just wondering if anyone has done any work on this or
2016 Jul 04
3
SSH multi factor authentication
There has been some good discussion around our IBM security team as to what
actually constitutes SSH multi factor authentication. There are 2 options
being discussed.
One, the Google Authenticator (OTP authentication).
Two, Public/Private key authentication (pubkeyauthentication = yes) which
supports pass phrase private key authentication.
Which of these is considered multi-factor
2022 Jun 01
5
[Bug 3439] New: identify password prompts
https://bugzilla.mindrot.org/show_bug.cgi?id=3439
Bug ID: 3439
Summary: identify password prompts
Product: Portable OpenSSH
Version: v9.0p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at
2023 Mar 18
3
Minimize sshd log clutter/spam from unauthenticated connections
On 18.03.23 14:34, David Lang wrote:
> modern syslog daemons (including rsyslog, which is default on just
> about every linux system) allow you to filter efficiently on the
> message contents, not just the severity, so you can opt to throw out
> the messages you don't want.
>
> I advocate for a slightly different way of dealing with it, filter
> these messages from
2020 Apr 22
6
Recommendations on intrusion prevention/detection?
Dear all,
what are the key strategies for intrusion prevention and detection with
dovecot, apart from installing fail2ban?
It is a pity that the IMAP protocol does not support 2 factor
authentication, which seems to stop 90% of intrusion attempts in their
tracks. Without it, if someone has obtained your password and reads your
mail without modifying it, you will hardly ever notice.
Is there a
2024 Jul 04
1
Request for a Lockdown option
Simon Josefsson wrote in
<87jzi1fg24.fsf at kaka.sjd.se>:
|Jochen Bern <Jochen.Bern at binect.de> writes:
|> (And since you mention "port knocking", I'd like to repeat how fond I
|> am of upgrading that original concept to a single-packet
|> crypto-armored implementation like fwknop.)
|
|I am reluctantly considering to use some kind of port knocking