Since Google released their "OTP" (One-Time Password Authentication) source code a little while ago it became pretty easy to protect any web application (or others) by adding a third information on the login page. whatever you call it (pass-code, token, etc ..), it's changing every 30s and almost any decent phone can generate the "token", so only YOU can log in.
I've just implemented this solution to the IEM (Interspire Email Marketer) admin interface and it works lik a charm. Now I start to think that everywhere I have a web console I also want to have a Two-factor authentication, make sense right
Since the webmail interface of kerio is running PHP, I know it's possible to implement it there as well but before throwing myself into it I wanted to share that little project with you and why not get a little help in the process.
I've started playing a little bit with the latest Kerio Connect web interface and it looks like the only file to modify is:
C:\Program Files (x86)\Kerio\MailServer\web\webmail\login\loginDialog.inc
I've been inspired few days ago by the following article (and are using their OTP PHP class) : www.idontplaydarts.com/2011/07/google-totp-two-factor-authen tication-for-php
Based on what I did with Interspire I'm trying to recreate it with Kerio connect Webmail GUI.
- I've put the PHP class into C:\Program Files (x86)\Kerio\MailServer\web\webmail\login\
- I've added the line require_once("token.php"); after line 78
- I've added an extra field after the "password" so we can enter the Token
Everything works, but what I want to do now is check if the variable "kerio_token" = "$otp", and if not replace (on-the-fly) the username by something wrong ex: "xxxxxx" so if the token is wrong then the authentication will fail. Again that's maybe the not the best or the sexiest implementation yet but it definitely works on IEM so why bother finding another way to do it.
That's it fellas ... I'll be more than happy to exchange on the subject and of course try to find a way to implement it so the "Kerio Community" can benefit from it.
Over and Out,
[Updated on: Thu, 06 December 2012 22:30]
Kerio discussion forums are intended for open communication between forum
members and may contain information and material posted by members which may
be useful in learning about Kerio products. The discussion forums are not
intended to provide technical support for any specific product. Any
information implied or expressed in the discussion forums is that of the
posting member. Kerio is in no way responsible for the information posted in
the forums, or its accuracy. Kerio employees may participate in the
discussions, but their postings do not represent an offical position of the
company on any issues raised or discussed. Kerio reserves the right to
monitor and maintain the forums to promote free and accurate exchange of