On Tue, May 20, 2008 at 12:34 PM, Paul Lesniewski <paul@xxxxxxxxxxxxxxxx> wrote: > On Tue, May 20, 2008 at 8:39 AM, Fredrik Jervfors > <jervfors@xxxxxxxxxxxxxxxx> wrote: >>> Ubuntu 7.04 server amd64 >>> SM 1.4.11 >>> >>> I'm prepared adding One-Time-Password to SM as experiment. Please >>> advise are following packages working on SM; >>> >>> opie-client opie-server libopie-dev >>> >>> They are on Ubuntu repo. >> >> No. Since SquirrelMail logs in to the IMAP server at least once per page >> view, OPT is worthless. You might not even get as far as to loading both >> frames after logging in, since the password will change every time you use >> it. Using an IMAP proxy might help though, until it times out and the >> connection to the IMAP server is lost. Every time the connection is closed >> or lost, a new password will be generated and throw you back to the >> SquirrelMail login page. You can get around this using Imapproxy - as noted in the doc. It's been awhile since I wrote this, so I could be out-of-date. >> >>> On googling I found; >>> Open Source Two-factor authentication: The WiKID Community Edition >>> http://www.wikidsystems.com/community-version >>> >>> Can it work on SM? If YES which package/packages shall I download? The packages are listed in the how-to and in the original doc I used to install everything: http://nakedape.cc/info/Cyrus-IMAP-HOWTO/quickstart-fedora.html >> >> They state that they can. A link marked "Squirrelmail and other IMAP >> services" on the first page links to >> <http://www.wikidsystems.com/community-version/documentation/howtos/two_factor_webmail>. > > Their instructions depend on the weakness Fredrik pointed out not > happening: the IMAP proxy server timing out your credentials. I don't think so, but as I said, I could be wrong. N.B: the version in the how-to uses radius, which is not part of the open source Community Version. However, we have a PHP network client that could be integrated with the Community version. Also, since I wrote that how-to for SM, we have added mutual https authentication that prevents network-based MITM attacks by validating the ssl cert for the user. You can find out more about that here:http://www.wikidsystems.com/learn-more/technology/mutual_authentication. Nick > >>> OR are there other suggestions? TIA >> >> A plugin hooked into the logout page of SquirrelMail could be used to >> create a new password if the system allows it, but I don't have any >> suggestions right now on how to do that in practise. > > I actually have a plugin sitting around that creates OTPs from within > the SM interface (they are ONLY *SquirrelMail* OTPs); the somewhat > insecure part of the puzzle being that SM actually takes the user's > real password and stores it in an encrypted file. The encryption is > decent (any mcrypt-supported algorithm works), but it's still always > an iffy proposition for an application to store user passwords. This > particular plugin is years old and needs a lot of face-lifting before > it would be ready for use. > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ----- > squirrelmail-users mailing list > Posting guidelines: http://squirrelmail.org/postingguidelines > List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx > List archives: http://news.gmane.org/gmane.mail.squirrelmail.user > List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
