On 13/11/2021 23:34, lists wrote:
The thing I don't like is most 2FA token generators. Ultimately you need
to transfer the polynomial that generates the code. Most do that with a
QR image. Well so much for security! Others have a one time emergency
code. Of course we are talking evil maid attacks, which granted is an
unacceptable term these days.
Now Yubikey at least has my attention. But people often leave the key
plugged into their notebook. Very true with the Google equivalent which
I have heard from Google employees. The keys themselves aren't exactly
transferable, but when you have physical access then all bets are off.
If someone fool actually paid me to be sysadmin, I would use a Yubikey.
Note Freeotp let's you input the code but also has the QR code fallback.
The phone app however hasn't been updated in years. It does allow you
to test out a TOTP scheme. It took me no time to write a script to
accept the token on Linux. The tricky part if I recall correctly was
setting up the script to accept the token that just expired. You would
want to do that to minimize user friction.
Not to get too far off track but I don't allow any web control over my
email server. There is no control panel to hack. I ssh into the server
and that uses PKI. I do everything via CLI. If ssh is compromised then
nothing else will be secure so email would be the last of my problems.
Companies such as Last pass (not an endorsement but an example)
supposedly incorporate password generators. If you are going to allow
users to set let alone change their own password, you might be able to
write a script that generates the password.
If I were to go up to the next level of security I would use mail-crypt.
It is just that I see so much chatter about getting it to work.
*From:* montneyty...@gmail.com
*Sent:* November 13, 2021 3:03 PM
*To:* dovecot@dovecot.org
*Subject:* Re: Strategies for protecting IMAP (e.g. MFA)
"Use strong (as in long and/or randomised and impossible to break using
rainbow table attacks) password"
Again, since it's just me, this is do-able. But I'm looking for
something practical as well.
I'm getting the feeling that people don't have an MFA implementation.
"if the users are sufficiently discipline"
As a Sysadmin, I can tell you they genuinely are not and they likely
never will be.
Hope for the best, plan for the worst.
I also want to clarify that I'm not rejecting any of these suggestions,
they're all good.
On Sat, Nov 13, 2021 at 4:42 PM Ralph Seichter <ra...@ml.seichter.de
<mailto:ra...@ml.seichter.de>> wrote:
* Tyler Montney:
> Since this is getting increasingly complicated, I wanted to ask
before
> going further. What do you all do? Any recommendations?
Use strong (as in long and/or randomised and impossible to break using
rainbow table attacks) passwords which are used only once (!) and kept
either in the user's brain or in an encrypted password store. Ensure
that authentication data can only be transmitted over encrypted
connections.
These measures cover a lot of ground, if the users are sufficiently
disciplined. Users are usually the weakest link.
-Ralph
I almost reached this stage with a personal / open source project I am
working on.
It is based on Dovecot login scripts, and ejabberd to send alerts in
XMPP, from the postmaster account.
The details:
Custom dovecot login scripts compute a "confidence" score, with two
thresholds. The first lower threshold raises a warning sent by xmpp with
some details, while the second threshold simply deny the connection.
A few of us have been using it for a while, both on mobile and desktop.
The current stable version is based on Stretch, as Buster has too many
issues, We are now working on the bullseye version.
It is perfectly valid to extend the Dovecot custom script to include for
instance Duo authentication.
Another option would be to extend a Dovecot custom login script to wait
for an answer on xmpp message sent by postmaster, or even something
crazier like a HOTP / TOTP code.
Good luck.
Homebox: https://github.com/progmaticltd/homebox
--
𝓐𝓡 - André Rodier
--
𝓐𝓡 - André Rodier