[Dovecot] Ideas for Webmail/OTP

Jasper Bryant-Greene jasper at albumltd.co.nz
Tue Jul 24 14:40:50 EEST 2007


On Tue, Jul 24, 2007 at 09:42:29AM +0300, Timo Sirainen wrote:
> On Mon, 2007-07-23 at 17:15 +0200, Frank Behrens wrote:
> > Solution 1:
> > When PAM is configured for IMAP the user can use a one-time-password in the same way 
> > as before. The problem is, that the user must know the sequence number for the password 
> > (otp challenge), so we need a way to display it. The PAM module supplies the otp challenge 
> > in the conversation function, but the challenge is not processed by the IMAP server.
> > My proposal: The IMAP server stores the challenge from the conversation function and 
> > includes it in the LOGIN response, when the login was not successful. So a user can try a 
> > login with a wrong dummy password and get knowlegdge about the current otp sequence.
> 
> I'd like to see your patch for this. I've no idea how pam_otp works.

I don't know a lot about the IMAP protocol's intricacies, but would it not be
cleaner to either:

a) provide the otp sequence as a capability (e.g. X-OTP-SEQ=1234), or

b) provide a dovecot-specific IMAP command for finding out the current
   sequence value (e.g. X-OTP-SEQ)

The sending of a dummy password to retrieve the LOGIN response seems like a
bit of a hack (no offense to Frank - I'm keen to see this OTP idea
implemented), but again, the above is written without much knowledge of the
IMAP protocol.

Jasper


More information about the dovecot mailing list