2 factor authentication for Dovecot/Postfix / SSH / PAM
Solution 1
Really, you want to choose the proper authentication protocol that is supported by PAM, the services you want to protect and the broadest number of two-factor authentication servers.
Radius is the answer.
All major two-factor authentication systems support radius. Radius is supported in PAM through the pam-radius plugin. Radius will also allow you to proxy the requests through freeradius (or NPS on AD) which can then perform authorization against your directory. (Meaning that you have one location to disable users.)
We have a number of tutorials that should help: a couple on pam-radius: https://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to & https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-pam-radius-in-ubuntu
And this one on adding two-factor auth to webmail that covers sasl etc. https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-webmail-for-wikid-strong-authentication
The email clients will be prompted for an OTP each time they launch or for each session.
Pam-tacacs and pam-ldap would be other options, but more difficult and less flexible, IMO.
Solution 2
Google Authenticator has a PAM module. The instructions for it are here. I'm not sure how it would work with mail.
Related videos on Youtube
Ward - Reinstate Monica
Updated on September 18, 2022Comments
-
Ward - Reinstate Monica almost 2 years
I'm wondering if there is some kine of 2 factor authentication module which supports PAM. My dovecot(PAM), postfix(SASL) and openssh authenticate via PAM to the system users. I would like to have it do 2 factor authentication, maybe via yubikey, google authenticator or whatever. And also, how would my mail client handle that?
-
Ward - Reinstate Monica about 5 yearsRepeatedly editing your post to be junk is not appropriate, please stop doing that.
-
Pavin Joseph almost 5 years@Ward I see the edits, why would OP do that though?
-
Ward - Reinstate Monica almost 5 years@Joseph It happens sometimes, when a person is unhappy with the response to their question (or sometimes with another question on the site or another SE site) and they decide to leave SE but want to take their content with them.
-