[BlueOnyx:24716] Re: New BlueOnyx server for mgirate old BO centos 6 server.

Mon Jan 18 03:47:12 -05 2021

> Am 18.01.2021 um 09:31 schrieb Michael Stauber <mstauber at blueonyx.it>:
> 
> Hi Florian,
> 
>> I think users are very much used to using their email adress 
>> instead of the username for email nowadays (at least here in
>> Germany). Maybe there’s a possibility to include that in future
>> releases?
> 
> This has been talked about in the past and it isn't that easy of a
> transition.
> 
> For all relevant logins (SMTP, Dovecot, FTP, SSH, GUI and other odds and
> sods) we use PAM authentication. And that usually means: Username and
> password. This works out of the box and we can use the Linux user
> accounts and passwords.
> 
> PAM can be extended to use the email-address instead of the username.
> But that usually involves stuffing the user accounts into LDAP or MySQL
> *and* throwing a lot of extra logic onto the problem. You're basically
> writing your own login mechanism with all intricacies and potential
> problems.
> 
> Usernames are unique. No two Linux users can have the same name.
> 
> Email addresses are a hell of a lot more complicated, because the same
> account can have many different email aliases and there could even be a
> wildcard email account under any given domain. And from the specified
> email address you need to extrapolate which Linux user that actually is.
> 
> Then the question is: What's the actual benefit?
> 
> In reality: There is none.
> 
> So we'd be throwing a lot of extra complexity at a non-existing problem
> for no gain. Instead we'd create something horribly complex that has new
> points of failure and possibly even security holes in its first few
> iterations. That's just not worth the risk.
> 
> There is also another thing to keep in mind:
> 
> Brute force dictionary attacks.
> 
> Just because *everyone* (and their mother) is using email addresses
> these automated attack tools run flat into a wall on a BlueOnyx. Because
> if you try to authenticate with an email-address instead of a username,
> then that's a default authentication failure.
> 
> Lastly: The email addresses a server responds to can easily be probed
> from the outside and there are automated tools to harvest them.
> Likewise, anyone you communicate with via email knows your email address.
> 
> On other platforms an attacker therefore already knows one half of your
> two-factor authentication and only needs to brute force the password.
> 
> And on a BlueOnyx there isn't necessarily a direct relation between the
> login-token (username) and the email address.
> 

I get your point. It’s pure convenience.