[BlueOnyx:24715] Re: New BlueOnyx server for mgirate old BO centos 6 server.

Michael Stauber mstauber at blueonyx.it
Mon Jan 18 03:31:18 -05 2021 

Hi Florian,

> I think users are very much used to using their email adress 
> instead of the username for email nowadays (at least here in
> Germany). Maybe there’s a possibility to include that in future
> releases?

This has been talked about in the past and it isn't that easy of a
transition.

For all relevant logins (SMTP, Dovecot, FTP, SSH, GUI and other odds and
sods) we use PAM authentication. And that usually means: Username and
password. This works out of the box and we can use the Linux user
accounts and passwords.

PAM can be extended to use the email-address instead of the username.
But that usually involves stuffing the user accounts into LDAP or MySQL
*and* throwing a lot of extra logic onto the problem. You're basically
writing your own login mechanism with all intricacies and potential
problems.

Usernames are unique. No two Linux users can have the same name.

Email addresses are a hell of a lot more complicated, because the same
account can have many different email aliases and there could even be a
wildcard email account under any given domain. And from the specified
email address you need to extrapolate which Linux user that actually is.

Then the question is: What's the actual benefit?

In reality: There is none.

So we'd be throwing a lot of extra complexity at a non-existing problem
for no gain. Instead we'd create something horribly complex that has new
points of failure and possibly even security holes in its first few
iterations. That's just not worth the risk.

There is also another thing to keep in mind:

Brute force dictionary attacks.

Just because *everyone* (and their mother) is using email addresses
these automated attack tools run flat into a wall on a BlueOnyx. Because
if you try to authenticate with an email-address instead of a username,
then that's a default authentication failure.

Lastly: The email addresses a server responds to can easily be probed
from the outside and there are automated tools to harvest them.
Likewise, anyone you communicate with via email knows your email address.

On other platforms an attacker therefore already knows one half of your
two-factor authentication and only needs to brute force the password.

And on a BlueOnyx there isn't necessarily a direct relation between the
login-token (username) and the email address.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list