Complete Newby Question - Use hydra with dovecot authentication?

#1

Pardon this very uninformed question.

We have an email system set up with postfix/dovecot and I’d like to add more security to the simple passwords in place now. We also have a campus wide subscription to Duo which allows us to easily add a second factor to ssh logins. Simplistically just pointing the dovecot to this service requires the user to acknowledge a new login at frequent and poorly defined intervals. Can I use oauth2 to set up predefined known devices to handle this? And set up a web interface to allow the user to make such devices known?

I have looked at the documentation and found a hook from dovecot to an oauth2 provider. As a complete newbie, I have found the docker setup of hydra to work but the docs suggest that for a production system I need to work outside of docker. Is this true? I am finding these so-called restful APIs far from restful.

#2

Made my day

You can run Docker in production and it always depends on context. If you run a system that’s global scale with 2.5bn users you have different requirements than e.g. dovecot with ca couple of hundred users. You can run Hydra in Docker, and directly on Win,macOS,Linux,… as well as on all CPU platforms (ARM, amd64, i386, …)

The way you log people in is up to you with Hydra. You could for example write a small application with a web form that uses the dovecot user database. Then you use that small application in your hydra flow (what we call the “login/consent app”). That’s basically it.

However, you’re definitely on new terrain here. I don’t think we’ve seen this use case before.

#3

Thanks so much for your quick response. I’m surprised that this application is new ground since dovecot does have a hook to oauth2, but that reference suggests using it in conjunction with other providers such as google.

I’m less concerned with performance than understanding what is going on to set up hydra without docker. I could very well have overlooked documentation that covers a bare metal sort of install, but the ones I see seem to always invoke docker. Downloading the source revealed a Makefile with docker commands within it.