2 factor authentication for Dovecot/Postfix / SSH / PAM

ssh debian dovecot postfix
11,213

Solution 1

Really, you want to choose the proper authentication protocol that is supported by PAM, the services you want to protect and the broadest number of two-factor authentication servers.

Radius is the answer.

All major two-factor authentication systems support radius. Radius is supported in PAM through the pam-radius plugin. Radius will also allow you to proxy the requests through freeradius (or NPS on AD) which can then perform authorization against your directory. (Meaning that you have one location to disable users.)

We have a number of tutorials that should help: a couple on pam-radius: https://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to & https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-pam-radius-in-ubuntu

And this one on adding two-factor auth to webmail that covers sasl etc. https://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-webmail-for-wikid-strong-authentication

The email clients will be prompted for an OTP each time they launch or for each session.

Pam-tacacs and pam-ldap would be other options, but more difficult and less flexible, IMO.

Solution 2

Google Authenticator has a PAM module. The instructions for it are here. I'm not sure how it would work with mail.

Share:
11,213

Related videos on Youtube

Ward - Reinstate Monica
Author by

Ward - Reinstate Monica

Updated on September 18, 2022

Comments

  • Ward - Reinstate Monica
    Ward - Reinstate Monica almost 2 years

    I'm wondering if there is some kine of 2 factor authentication module which supports PAM. My dovecot(PAM), postfix(SASL) and openssh authenticate via PAM to the system users. I would like to have it do 2 factor authentication, maybe via yubikey, google authenticator or whatever. And also, how would my mail client handle that?

    • Ward - Reinstate Monica
      Ward - Reinstate Monica about 5 years
      Repeatedly editing your post to be junk is not appropriate, please stop doing that.
    • Pavin Joseph
      Pavin Joseph almost 5 years
      @Ward I see the edits, why would OP do that though?
    • Ward - Reinstate Monica
      Ward - Reinstate Monica almost 5 years
      @Joseph It happens sometimes, when a person is unhappy with the response to their question (or sometimes with another question on the site or another SE site) and they decide to leave SE but want to take their content with them.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Connection refused from remote computers on port 25 with postfix
Dovecot handshake failure, on Postfix success
dovecot not letting me telnet localhost 110 -- imap and pop3-login not starting up
Postfix sends as hostname.domain.com instead of domain.com
Debian - Postfix + Dovecot, send but not receive mail
Fetching mails into postfix/dovecot via pop3/imap
Mail Server Can't Receive Email But Can Send Email - Postfix, Dovecot, MySQL
How to disable Postfix logging?
Dovecot doesn't start
Cannot open mailbox /var/mail/<user>: Permission denied