I search a way to use one-time–passwords for Horde/IMP on FreeBSD. I do not want to use PAM (local users on the machine). Currently I use the authentication via IMAP4 (link between the IMAP4-server and postfix via MySQL, to have the same PW for sending and receiving), and I expect that not all users of Horde/IMP will use OTP if available, so the problem case is not that easy. I can imagine a solution which tries to authenticate via OTP first, and if it succeeds gets a password for the login to the IMAP4 server. If the OTP-auth fails, it could try the entered password for the login to the IMAP4 server. Migrating existing users to a new solution can be done by telling them to enter the password from the machine of the person doing the migration. The solution needs to automatically login to the IMAP4 server, entering a password for the IMAP4 server after the OTP-login to Horde is not an option.
Oh, yes, sending the passwords over SSL is not an option (that is already the only way to login there). The goals are to have
- an easy to remember password for an OTP app on the mobile to generate the real password
- the password expire fast, so that a stolen password does not cause much harm
- not the same login-password for different services (mail-pw != jabber-pw != user-pw)