On Tue, May 20, 2008 at 11:23 AM, Nick Owen <nowen@xxxxxxxxxxxxxxxx> wrote: > On Tue, May 20, 2008 at 12:34 PM, Paul Lesniewski <paul@xxxxxxxxxxxxxxxx> wrote: >> On Tue, May 20, 2008 at 8:39 AM, Fredrik Jervfors >> <jervfors@xxxxxxxxxxxxxxxx> wrote: >>>> Ubuntu 7.04 server amd64 >>>> SM 1.4.11 >>>> >>>> I'm prepared adding One-Time-Password to SM as experiment. Please >>>> advise are following packages working on SM; >>>> >>>> opie-client opie-server libopie-dev >>>> >>>> They are on Ubuntu repo. >>> >>> No. Since SquirrelMail logs in to the IMAP server at least once per page >>> view, OPT is worthless. You might not even get as far as to loading both >>> frames after logging in, since the password will change every time you use >>> it. Using an IMAP proxy might help though, until it times out and the >>> connection to the IMAP server is lost. Every time the connection is closed >>> or lost, a new password will be generated and throw you back to the >>> SquirrelMail login page. > > You can get around this using Imapproxy - as noted in the doc. It's > been awhile since I wrote this, so I could be out-of-date. > >>> >>>> On googling I found; >>>> Open Source Two-factor authentication: The WiKID Community Edition >>>> http://www.wikidsystems.com/community-version >>>> >>>> Can it work on SM? If YES which package/packages shall I download? > > The packages are listed in the how-to and in the original doc I used > to install everything: > http://nakedape.cc/info/Cyrus-IMAP-HOWTO/quickstart-fedora.html > >>> >>> They state that they can. A link marked "Squirrelmail and other IMAP >>> services" on the first page links to >>> <http://www.wikidsystems.com/community-version/documentation/howtos/two_factor_webmail>. >> >> Their instructions depend on the weakness Fredrik pointed out not >> happening: the IMAP proxy server timing out your credentials. > > I don't think so, but as I said, I could be wrong. I think you are. WHY don't you think so? If imapproxy decides it's time to release the user's login session (sure, this depends on a number of factors in the configuration of all the tools involved - imapproxy, SM, PHP), the password is lost and your webmail session dies unexpectedly. If you have enough idle time configured into everything and auto folder list refresh turned on, you might be able to get away with it, but this relies on a user config setting (folder refresh), which isn't ideal. > N.B: the version in the how-to uses radius, which is not part of the > open source Community Version. However, we have a PHP network client > that could be integrated with the Community version. Also, since I > wrote that how-to for SM, we have added mutual https authentication > that prevents network-based MITM attacks by validating the ssl cert > for the user. You can find out more about that > here:http://www.wikidsystems.com/learn-more/technology/mutual_authentication. Keep up the great work! >>>> OR are there other suggestions? TIA >>> >>> A plugin hooked into the logout page of SquirrelMail could be used to >>> create a new password if the system allows it, but I don't have any >>> suggestions right now on how to do that in practise. >> >> I actually have a plugin sitting around that creates OTPs from within >> the SM interface (they are ONLY *SquirrelMail* OTPs); the somewhat >> insecure part of the puzzle being that SM actually takes the user's >> real password and stores it in an encrypted file. The encryption is >> decent (any mcrypt-supported algorithm works), but it's still always >> an iffy proposition for an application to store user passwords. This >> particular plugin is years old and needs a lot of face-lifting before >> it would be ready for use. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
