On Tue, Jul 24, 2007 at 09:42:29AM +0300, Timo Sirainen wrote: > On Mon, 2007-07-23 at 17:15 +0200, Frank Behrens wrote: > > Solution 1: > > When PAM is configured for IMAP the user can use a one-time-password in the > > same way > > as before. The problem is, that the user must know the sequence number for > > the password > > (otp challenge), so we need a way to display it. The PAM module supplies > > the otp challenge > > in the conversation function, but the challenge is not processed by the > > IMAP server. > > My proposal: The IMAP server stores the challenge from the conversation > > function and > > includes it in the LOGIN response, when the login was not successful. So a > > user can try a > > login with a wrong dummy password and get knowlegdge about the current otp > > sequence. > > I'd like to see your patch for this. I've no idea how pam_otp works.
I don't know a lot about the IMAP protocol's intricacies, but would it not be cleaner to either: a) provide the otp sequence as a capability (e.g. X-OTP-SEQ=1234), or b) provide a dovecot-specific IMAP command for finding out the current sequence value (e.g. X-OTP-SEQ) The sending of a dummy password to retrieve the LOGIN response seems like a bit of a hack (no offense to Frank - I'm keen to see this OTP idea implemented), but again, the above is written without much knowledge of the IMAP protocol. Jasper