#461 show IMAP server login response (for OTP)

closed-rejected
nobody
None
5
2009-11-14
2009-11-12
Frank Behrens
No

A one-time password (OTP) is a password that is only valid for a single login session. This is very useful for a webmail client when it is used in an unsafe environment. To use a OTP the user must know the current sequence number. For a terminal login the sequence number is displayed by the login program, a webmail client must also be able to give this information to the user. An easy solution is here given:

SquirrelMail displays the error response from IMAP server, that contains the OTP sequence number, to the user. When the user does not know the sequence number, he can try to login with his name and an arbitrary password and the error message will contain the sequence number. With this number he can determine the right password and login again.

The attached patch implements the display of error response from IMAP server. With current dovecot server the use of One-Time Passwords is possible. There is only an operating system dependent PAM configuration necessary.

Discussion

  • Frank Behrens
    Frank Behrens
    2009-11-12

    OTP response display

     
    Attachments
  • Thanks for your interest and contribution.

    The solution you describe is not the definitive way to implement one-time passwords. This kind of functionality can differ wildly between implementations, therefore is a perfect candidate for a plugin (there are already a couple OTP plugins). Please consider plugin implementations. There is a hook that is called during the error display which could be helpful, or you might be able to do something on one of the few hooks on the login page itself. If you think the only place you can implement this is where your patch is located, you should present your case to the development team and we'll consider if a new hook is justified.

    BTW, watch how you check the result of strpos - your implementation will always try to get the "logmsg" even when the OTP error isn't found in the response. Additionally, just appending the additional error info to the error string isn't well suited to proper i18n.

     
    • status: open --> closed-rejected