similar to: (Open)SSH as a TOTP *Token*?

On Mon, 20 Feb 2023 at 20:03, Jochen Bern <Jochen.Bern at binect.de> wrote: > A quick question, if I may: Today, I heard a rumour that "ssh" can be > used as a TOTP *token* (i.e., accept or generate a secret for a > configuration and generate TOTP codes from there on out, to be entered > into some *other* software requesting them for 2FA). I'm not aware of any way

On 05/16/2018 06:07 AM, Aki Tuomi wrote: >> On 15 May 2018 at 22:43 Gandalf Corvotempesta <gandalf.corvotempesta at gmail.com> wrote: >> Is possible to implement and end-to-end encryption with dovecot, where >> server-side there is no private key to decrypt messages? > > You could probably automate this with sieve and e.g. GnuPG, which would mean > that all your

On 12/15/2018 12:34 AM, @lbutlr wrote: > On 14 Dec 2018, at 16:30, @lbutlr <kremels at kreme.com> wrote: >> Is it possible to override the POP3 delete on download command and make >> sure that messages stay on the server for at least X hours or X days? >> It is important that the messages be around long enough to hit a snapshot >> cycle (using rsnapshot to backup

I'd like to start offering my server's users multi-factor authentication. Right now, I funnel all authentication through dovecot. Before I get too far down the fantasy design path, I'm wondering if anyone else has already done this and could share some details or code. (I loaded up the subject line with acronyms to show how serious I am. :-)) I am specifically thinking of

Hello everyone, I work in a setting where remote logins are usually authenticated with SSH user keypairs, but many target accounts need to have a password set nonetheless (to use with sudo, log in via remote KVM, etc.) and cannot be put under a central user administration like LDAP. Enter a corporate password policy that requires passwords to be complex, different everywhere, and of limited

Hello everyone, my workplace has gotten the idea of centrally maintaining a file in ssh_config syntax so that employees do not need to discover every new machine and configure it on their own. Since it's a case of "let's get started now, and properly think it through later", right now, a typical entry might look like > Host [product]-[Customer] > Hostname

Hi Jochen, On Wed, 12 Feb 2020 at 00:16, Jochen Bern <Jochen.Bern at binect.de> wrote: > > On 02/11/2020 07:07 PM, Cl?ment P?ron wrote: > > - I have X devices (around 30) and one SSH server > > - Each of them have a unique public key and create one dynamic reverse > > port forwarding on the server > > - All of them connect with the same UNIX user (I don't

On 02/20/2019 07:51 AM, Mark D. Baushke wrote: > There are too just many cases where both OpenSSH interoperating with > itself as well as other SSH implementations have needed this version > number to properly deal with bugs in the code via negitations. FWIW, and without dismissing the possibility of fingerprinting a server in other ways, the fact that clients that *can* pass

On 25.04.24 17:15, openssh-unix-dev-request at mindrot.org digested: > Subject: how to block brute force attacks on reverse tunnels? > From: Steve Newcomb <srn at coolheads.com> > Date: 25.04.24, 17:14 > > For many years I've been running ssh reverse tunnels on portable Linux, > OpenWRT, Android etc. hosts so they can be accessed from a server whose > IP is stable

On 03/22/2018 09:34 AM, Aki Tuomi wrote: >>> I have no idea why you would have nopassword=y set in the first >>> place, so it seems the simplest way to eliminate this problem is to >>> take that out and have a secure environment for sending mail. >> >> Yes, however, for SOGo with Native Outlook compatibility or SAML >> logon, the config is required.

On 05.07.23 18:01, MCMANUS, MICHAEL P wrote: > It appears the forced command either does not run or runs to completion > and exits immediately, as there is no process named "receive.ksh" in > the process tree. FWIW, two cents of mine: -- The script *exiting* should *not* prompt sshd to execute the requested subsystem "as a second thought", or else it'd happen

On 05.07.23 02:50, Damien Miller wrote: > Some possibilities: > 1. the receive.ksh script is faulty in some way that causes it to invoke > sftp-server How would the script even *know* that the client requested the SFTP subsystem? Is a subsystem's executable/path, supposedly internally overwritten with the forced command at that point, exposed through $SSH_ORIGINAL_COMMAND ?

I would have to also hack the email client since I don't enter my 20 character high entropy password when I send or retrieve email. You really need an email standard to integrate TOTP. To be realistic, you need Gmail to use it. Whatever Gmail wants is essentially a defacto standard. I live in the real world, so whatever Google wants, I comply. ? Original Message ? From: jtam.home at

On 06.07.23 23:37, MCMANUS, MICHAEL P wrote:> So changing the forced command as stated will break the application. I > would need to create a test bed to simulate the listener rather than > use the server as is, where is. That may produce false or misleading > results. Since the forced command is tied to the specific keypair in the authorized_keys, you could -- test with a different

On 10/25/2017 12:58 PM, Heiko Schlittermann wrote: > We could create new "role" users, share the password and create an > additional account within the mail client (thunderbird) they use. From > users perspective it is exactly what they want. But I dislike the idea > of sharing the password. For what reason exactly? It not being personalized, too easy to leak, potentially

On 18.08.23 07:39, Darren Tucker wrote: > On Fri, 18 Aug 2023 at 15:25, Stuart Longland VK4MSL <me at vk4msl.com> wrote: > [...] >> The crux of this is that we cannot assume the local IPv4 address is >> unique, since it's not (and in many cases, not even static). > > If the IP address is not significant, you can tell ssh to not record > them ("CheckHostIP

On 11/17/2016 08:48 AM, Steve Litt wrote: > When I use an email client, its purpose is as a window into my Dovecot > IMAP, and as a mechanism to reply to and send emails. I don't do > filtering or calendaring on my email client (filtering via procmail > direct to Dovecot). > > What email clients are all of you using to look at your IMAP email? Plaintext or HTML mails?

On 16.10.23 04:59, Damien Miller wrote: > On Mon, 16 Oct 2023, openssh at tr.id.au wrote: >> When using the key without an agent, it prompts with a reminder to touch the key: >> >> $ ssh user at remote >> Confirm user presence for key ED25519-SK MD5:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX [...] >> But as soon as I add the key to an agent, it now hides that

To radically cut down on SSH log spam you can also hide it completely behind a firewall, and allow access only by some port knocking sequence. I quite like having a process listen on port 53 and wait for a dns query containing a totp string to grant (temporary) access; that's a 2fa, and doing a "host 123456. my-ip" is easily automated in a shell script as well...

Hello everyone, I would like pointers on how to analyze the following situation, please: I'm running one test and one production dovecot IMAPS server for one of our platforms. The clients are essentially appliances we distribute, auth by client cert, virtual users only, mailboxes in maildir format: > auth_ssl_require_client_cert = yes > auth_ssl_username_from_cert = yes >