RE: [SM-USERS] Protecting IMAP passwords against keyloggers?

[Marc Powell]

> -----Original Message-----
> From: [EMAIL PROTECTED]
[mailto:squirrelmail-
> [EMAIL PROTECTED] On Behalf Of Hadmut Danisch
> Sent: Friday, July 29, 2005 11:46 AM
> To: squirrelmail-users@lists.sourceforge.net
> Subject: [SM-USERS] Protecting IMAP passwords against keyloggers?
> 
> Hi,
> 
> I am just reflecting about a little security problem
> and maybe someone knows a solution:
> 
> There is a web server, access over https, protected with
> one time passwords. When you login you get access to
> squirrelmail. The server is intended to give the users
> access to email from internet cafes and other untrusted
> computers. That's why it uses one time passwords, since
> such computers always are suspected of being compromised and
> might have things like keyloggers.
> 
> Reading e-mail with squirrelmail requires a second login
> with the IMAP username and userpassword. But now, the same
> user and password database the IMAP server make use of (LDAP)
> is intended to be used for other purposes, and now it is
> risky if passwords are caught by keyloggers.
> 
> Any idea how to circumvent entering the IMAP password
> for squirrelmail but still being secure?
> (User was already authenticated before)

I would imagine that http://www.squirrelmail.org/plugin_view.php?id=34
doesn't quite fit the bill but I'll bet it could be modified to do so.
For example, you might be able to modify login_auth_skip_login_do() in
functions.php to grab the username/password information from your LDAP
source based on whatever available information you have to identify the
user in the environment and replace references to $PHP_AUTH_PW and
$PHP_AUTH_USER with your new variables (you'll have to change the
variable names most likely).

I've never done it and never really looked at this plugin before but it
looks feasible. YMMV.

--
Marc


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
--
squirrelmail-users mailing list
Posting Guidelines: 
http://squirrelmail.org/wiki/wiki.php?MailingListPostingGuidelines
List Address: squirrelmail-users@lists.sourceforge.net
List Archives: 
http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives:  http://sourceforge.net/mailarchive/forum.php?forum_id)95
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users