[horde] multi-factor authentication

Ralf Lang lang at b1-systems.de
Fri Mar 30 18:58:05 UTC 2018 


Am 30.03.2018 um 18:02 schrieb Bjoern Voigt:
> Ralf Lang wrote:
>> Vault doesn't really address what is needed here.
>> There are two options here:
>>
>> - Delegate authentication to an auth provider (shibboleth, saml, openid
>> connect, etc) and let them worry about 2-factor implementation
>> - Build a 2-factor driver for horde
>>
>> Both are somehow on my list, but no specific timeline can be given.
>> However, I am more interested in open solutions like TOTP/HOTP.
>> Though I use commercial RSA SecurId tokens in my daily work, I have
>> absolutely no interest in building a direct interface to the server
>> component.
> Ralf, you seem to know the Horde authentication code very good.
>
> I think, some users need a quick (but not dirty) solution for Horde/IMP.
>
> I think, Yubikeys and TOTP/HOTP solutions can be easily used in Horde.
> The basic idea for services without an integrated 2FA module is to enter
> a combined password <user password><2FA password>. Second factor
> passwords have a fixed length. So the combined password can be splitted
> with simple rules.
>
> There is a hook "preauthenticate" in horde/config/hooks.php, which can
> be used here. My idea is:
>
>  1. Check the username, if 2FA is enabled for the user
>  2. Consistency check, if there is a combined password
>  3. Split the combined password
>  4. Do the verification for the second factor password
>  5. Return false, if the second factor password is wrong
>  6. Return the first factor password within the "entry" array, if the
>     second factor password is right
>
> I haven't implemented this yet. But it should work.
>
> I think the drawbacks would be:
>
>   * Passwords can not be saved comfortable anymore, because you need a
>     new combined password for each login
>   * Activesync clients will fail for the same reason
>
> Greetings,
> Björn
>
Hi Björn,

it should work, however it would break a little more stuff if done this way

* remote APIs (caldav, xml-rpc, json-rpc)
* Most likely passwd (the password management module)

Suggestion:
* implement as a driver (Horde_Auth_Base descendant) wrapping the actual
driver rather than hook
* extract the original password for use in backends (imap, sieve,
ftp/gollem, ...) as you suggest

Jan Schneider has written a 2-part blog on details of horde
authentication. It's a good read.

-- 
Ralf Lang
Linux Consultant / Developer
Tel.: +49-170-6381563
Mail: lang at b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537

More information about the horde mailing list