On Mon, 2007-07-23 at 17:15 +0200, Frank Behrens wrote: > Solution 1: > When PAM is configured for IMAP the user can use a one-time-password in the > same way > as before. The problem is, that the user must know the sequence number for > the password > (otp challenge), so we need a way to display it. The PAM module supplies the > otp challenge > in the conversation function, but the challenge is not processed by the IMAP > server. > My proposal: The IMAP server stores the challenge from the conversation > function and > includes it in the LOGIN response, when the login was not successful. So a > user can try a > login with a wrong dummy password and get knowlegdge about the current otp > sequence.
I'd like to see your patch for this. I've no idea how pam_otp works. > Solution 3: > When we configure PAM we can restrict/allow it's use depending on IP address > of client. > Unfortunately with a webmail client the IMAP client is always the the > webserver. It should be > possible, that the webserver forwards the client IP address to the IMAP > server. Furthermore > to use dovecot's login cache as described above in a safe manner, the IP > address should be > compared, too. > My proposal: Create a new IMAP command "XSETREMOTEIP". With this IMAP > extension a > client can set the real IP address of remote client. The access to this > command is restricted > to the webserver with a new configuration parameter "trusted clients", which > holds an IP > address with mask. Cyrus Murder has something similar to this I think. We could make it compatible with it.
signature.asc
Description: This is a digitally signed message part
