Secure-POP+SSH.pdf

(25 KB) Pobierz
Secure POP via SSH mini-HOWTO
Secure POP via SSH mini−HOWTO
Secure POP via SSH mini−HOWTO
Table of Contents
Secure POP via SSH mini−HOWTO. ...............................................................................................................1
Manish Singh, <yosh@gimp.org>. .........................................................................................................1
1. Introduction. .........................................................................................................................................1
2. The Basic Technique.. ..........................................................................................................................1
3. Using it With Your Mail Software. ......................................................................................................1
4. Miscellany. ...........................................................................................................................................1
1. Introduction. .........................................................................................................................................1
2. The Basic Technique.. ..........................................................................................................................2
2.1 Setting up Port Forwarding. ...............................................................................................................2
2.2 Testing it out. .....................................................................................................................................3
3. Using it With Your Mail Software. ......................................................................................................3
3.1 Setting up fetchmail. ..........................................................................................................................4
3.2 Automating it all. ...............................................................................................................................4
3.3 Not using fetchmai. ...........................................................................................................................5
4. Miscellany. ...........................................................................................................................................5
4.1 Disclaimer. .........................................................................................................................................5
4.2 Copyright. ..........................................................................................................................................5
4.3 Acknowledgements. ...........................................................................................................................6
i
115288612.001.png
Secure POP via SSH mini−HOWTO
Manish Singh, <yosh@gimp.org>
v1.0, 30 September 1998
This document explains how to set up secure POP connections using ssh.
·
·
·
Normal POP mail sessions, by their very nature, are insecure. The password goes across the network in
cleartext for everyone to see. Now, this may be perfectly acceptable in a trusted or firewalled environment.
But on a public network, such as a university or your run−of−the−mill ISP, anyone armed with a simple
network sniffer can grab your password right off the wire. This is compounded by the fact that many people
set their computers to check for mail at regular intervals, so the password is sent out quite frequently, which
makes it easy to sniff.
With this password, an attacker can now access your email account, which may have sensitive or private
information. It is also quite common that this password is the same as the user's shell account, so there is the
possibility for more damage.
By doing all POP traffic using an encrypted channel, nothing goes in cleartext over the network. We can use
ssh's diverse methods of authentication, instead of a simple plaintext password. That is the real point of using
this method: not because we get encrypted content (which is futile at this point, since it's probably gone
Secure POP via SSH mini−HOWTO
1
115288612.002.png
Secure POP via SSH mini−HOWTO
unencrypted over several networks already before reaching your mailbox; securing those communications is
the job of GNU Privacy Guard or PGP, not ssh), but the secure authentication.
There are other methods of achieving secure authentication already, such as APOP, KPOP, and IMAP.
However, using ssh has the advantage that it works with normal POP configurations, without requiring
special client (not all mail clients support advanced protocols) or server support (except for sshd running on
the server). You mail provider may be unable or unwilling to use a more secure protocol. Besides, by using
ssh you can compress the traffic too, which is a nice little extra for people with slow connections.
This technique relies on a fundamental feature of ssh: port forwarding
There are many variations on this theme, which depend on your desired mail setup. They all require ssh,
which is available from http://www.ssh.fi/ and mirrors. RPMs are available at
ftp://ftp.replay.com/pub/crypto/ and Debian packages are available at
ftp://non−us.debian.org/debian−non−US/ (and their respective mirrors).
2.1 Setting up Port Forwarding
To start port forwarding, run the following command:
ssh −C −f popserver −L 11110:popserver:110 sleep 5
Let's take a closer look at that command:
ssh
The ssh binary itself, the magic program that does it all.
−C
This enables compression of the datastream. It's optional, but usually useful, especially for dialup
users.
−f
Once ssh has done authentication and established port forwarding, fork to background so other
programs can be run. Since we're just using the port forwarding features of ssh, we don't need a tty
attached to it.
popserver
The POP server we're connecting to.
−L 11110:popserver:110
Forward local port 11110 to port 110 on the remote server popserver . We use a high local port
(11110) so any user can create forwardings.
2. The Basic Technique
2
115288612.003.png
Secure POP via SSH mini−HOWTO
sleep 5
After ssh has forked itself into the background, it runs a command. We use sleep so that the
connection is maintained for enough time for our mail client to setup a connection to the server. 5
seconds is usually sufficient time for this to happen.
You can use most other options to ssh when appropriate. A common setting may be a username, since it
might be different on the POP server.
This requires sshd running on the remote server popserver . However, you do not need to have an active
shell account there. The time it takes to print a message ``You cannot telnet here'' is enough to setup a
connection.
2.2 Testing it out
Once you've figured out the details command to run to establish port forwarding, you can try it. For example:
$ ssh −C −f msingh@popserver −L 11110:popserver:110 sleep 1000
popserver is the ol' POP server. My username on my local machine is manish so I need to explicitly
specify the username msingh . (If your local and remote usernames are the same the msingh@ part is
unnecessary.
Then it prints:
msingh@popserver's password:
And I type in my POP password (you may have different shell and POP passwords though, so use your shell
one). Now we're done! So we can try:
$ telnet localhost 11110
which should print something like:
QUALCOMM POP v3.33 ready.
Woohoo! It works! The data is sent out over the network encrypted, so the only cleartext is over the loopback
interfaces of my local box and the POP server.
This section describes setting up your POP client software to use the ssh forwarded connection. It's primary
focus is fetchmail (ESR's excellent mail−retrieval and forwarding utility), since that is the most flexible
software I have found for dealing with POP. fetchmail can be found at
http://www.tuxedo.org/~esr/fetchmail/ . It will do you a great service to read the excellent documentation that
comes with fetchmail.
2.2 Testing it out
3
115288612.004.png

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin