[horde] Login with security token: advice wanted [long]

[Michele Bergonzoni]

I have Horde 4.0 configured to accept logins with username + password + 
security token. My setup is working fine, but is "kludgy" because I 
directly modified a source file, so it will probably be overwritten at 
each upgrade, is difficult to maintain, etc.

I am seeking advice about how to do this "properly" with the hooks and 
config parameters available if possible. What follows is a description 
of the problem and how I currently solved it.

Our users login with a username, a password, and a string of digits 
coming out of a security token (those little devices that look like a 
keyfob and give you a different number each time you press the button). 
I don't think it matters, but we are using Feitian c100 and c200 tokens. 
What matters is that the number that is valid now will not be valid 
later (this is an essential property of this kind of setup, and the 
specific definition of "later" can vary).

We have users and passwords in LDAP, and we set up a RADIUS server to 
verify the token digits: it takes username, "password" made with LDAP 
password + space + digits, and then accepts or rejects. This double 
setup is intended to accomodate both services that have a deliberate and 
distinguished act of login from the user (e.g., horde, any session-based 
web app, ssh, some VPNs, etc.) and services where the credentials are 
stored somewhere and verified without user intervention (e.g. web with 
HTTP basic auth, IMAP with most clients including IMP).

Back to horde, we want the user to insert the password, that IMP will 
use for IMAP, and the digits, that we will check (together with the 
password) against the RADIUS server.

What I did was to setup horde to use an app (imp) for authentication, 
and then modify ./imp/lib/Application.php so that:

* at line 375, before the js_code assignment, a new $params entry is 
added as follows:

$params['token_digits'] = array(
         'label' => _("Token digits"),
         'type' => 'password',
);

* in authAuthenticate, in the "if ($new_session) {" block, check 
credentials (fetched from the $credentials array) against RADIUS. If 
rejected throw REASON_FAILED, if accepted do what was previously in that 
block.

This probably has the side effect of one more password check at login: 
unintended and unuseful, but harmless.

Now you will agree that this is a kludge. I enjoy having the additional 
field in the login screen, but it is not an absolute requirement: I can 
have the users enter password + space + digits in a single field.

If you've read so far and want to give me advice, should I:

1 - make a new Auth plugin starting from Base.php (or maybe 
Composite.php?), and find a way to have it ask for the digits, and to 
pass IMP the password without digits, or

2 - use IMP for authentication, have the usere enter password + space + 
digits, and try to fiddle with its hooks so that the digits will be 
discarded for IMAP use, or

3 - something different?

Thanks to you for reading so much, to those who will reply with some 
insight, and to Horde developers for this incredible project with such 
quality PHP OO code.

Regards,

			Bergonz


-- 
Ing. Michele Bergonzoni - Laboratori Guglielmo Marconi S.p.a.
Phone:+39-051-4392826 Fax:+39-051-6153683 e-mail: bergonz at labs.it
alt.advanced.networks.design.configure.operate