Differences between version 2 and predecessor to the previous major change of HowToSecurePOPSSH.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 2 | Last edited on Thursday, October 21, 2004 5:42:12 pm | by AristotlePagaltzis | Revert |
Older page: | version 1 | Last edited on Friday, June 7, 2002 1:07:29 am | by perry | Revert |
@@ -1,498 +1 @@
-
-
-
-Secure POP via SSH mini-HOWTO
-
-
-
-----
-
-!!!Secure POP via SSH mini-HOWTO
-
-!!Manish Singh,
-<yosh@gimp.org>v1., 30 September 1998
-
-
-----
-''This document explains how to set up secure POP connections using ssh.''
-----
-
-
-
-
-!!1. Introduction
-
-
-
-
-!!2. The Basic Technique
-
-
-*2.1 Setting up Port Forwarding
-
-*2.2 Testing it out
-
-
-
-
-
-!!3. Using it With Your Mail Software
-
-
-*3.1 Setting up fetchmail
-
-*3.2 Automating it all
-
-*3.3 Not using fetchmail
-
-
-
-
-
-!!4. Miscellany
-
-
-*4.1 Disclaimer
-
-*4.2 Copyright
-
-*4.3 Acknowledgements
-
-----
-
-!!1. Introduction
-
-
-
-
-
-Normal POP mail sessions, by their very nature, are insecure. The password goes
-across the network in cleartext for everyone to see. Now, this may be perfectly
-acceptable in a trusted or firewalled environment. But on a public network,
-such as a university or your run-of-the-mill ISP, anyone armed with a simple
-network sniffer can grab your password right off the wire. This is compounded
-by the fact that many people set their computers to check for mail at regular
-intervals, so the password is sent out quite frequently, which makes it easy to
-sniff.
-
-
-With this password, an attacker can now access your email account, which may
-have sensitive or private information. It is also quite common that this
-password is the same as the user's shell account, so there is the possibility
-for more damage.
-
-
-By doing all POP traffic using an encrypted channel, __nothing__ goes in
-cleartext over the network. We can use ssh's diverse methods of authentication,
-instead of a simple plaintext password. That is the real point of using this
-method: not because we get encrypted content (which is futile at this point,
-since it's probably gone unencrypted over several networks already before
-reaching your mailbox; securing those communications is the job of GNU Privacy
-Guard or PGP, not ssh), but the secure authentication.
-
-
-There are other methods of achieving secure authentication already, such as
-APOP, KPOP, and IMAP. However, using ssh has the advantage that it works with
-normal POP configurations, without requiring special client (not all mail
-clients support advanced protocols) or server support (except for sshd running
-on the server). You mail provider may be unable or unwilling to use a more
-secure protocol. Besides, by using ssh you can compress the traffic too, which
-is a nice little extra for people with slow connections.
-
-
-
-----
-
-!!2. The Basic Technique
-
-
-
-
-
-This technique relies on a fundamental feature of ssh: ''port forwarding''
-
-
-There are many variations on this theme, which depend on your desired mail
-setup. They all require ssh, which is available from
-http://www.ssh.fi/ and mirrors.
-RPMs are available at
-ftp://ftp.replay.com/pub/crypto/
-and Debian packages are available at
-ftp://non-us.debian.org/debian-non-US/
-(and their respective mirrors).
-
-
-
-
-!!2.1 Setting up Port Forwarding
-
-
-
-
-
-
-To start port forwarding, run the following command:
-
-
-
-
-
-ssh -C -f popserver -L 11110:popserver:110 sleep 5
-
-
-
-
-Let's take a closer look at that command:
-
-
-
-
-
-
-
-; __ssh__:
-
-The ssh binary itself, the magic program that does it all.
-
-
-
-; __-C__:
-
-This enables compression of the datastream. It's optional, but usually useful,
-especially for dialup users.
-
-
-
-; __-f__:
-
-Once ssh has done authentication and established port forwarding, fork to
-background so other programs can be run. Since we're just using the port
-forwarding features of ssh, we don't need a tty attached to it.
-
-
-
-; __popserver__:
-
-The POP server we're connecting to.
-
-
-
-; __-L 11110:popserver:110__:
-
-Forward local port 11110 to port 110 on the remote server popserver. We
-use a high local port (11110) so any user can create forwardings.
-
-
-
-; __sleep 5__:
-
-After ssh has forked itself into the background, it runs a command. We use
-sleep so that the connection is maintained for enough time for our mail
-client to setup a connection to the server. 5 seconds is usually sufficient
-time for this to happen.
-
-
-
-
-
-
-You can use most other options to ssh when appropriate. A common setting
-may be a username, since it might be different on the POP server.
-
-
-This ''requires'' sshd running on the remote server popserver. However,
-you do not need to have an active shell account there. The time it takes to
-print a message ``You cannot telnet
here'' is enough to setup a connection.
-
-
-
-
-!!2.2 Testing it out
-
-
-
-
-
-
-Once you've figured out the details command to run to establish port
-forwarding, you can try it. For example:
-
-
-
-
-
-$ ssh -C -f msingh@popserver -L 11110:popserver:110 sleep 1000
-
-
-
-
-popserver is the ol' POP server. My username on my local machine is
-manish so I need to explicitly specify the username msingh. (If
-your local and remote usernames are the same the msingh@ part is
-unnecessary.
-
-
-Then it prints:
-
-
-
-
-
-msingh@popserver's password:
-
-
-
-
-And I type in my POP password (you may have different shell and POP passwords
-though, so use your shell one). Now we're done! So we can try:
-
-
-
-
-
-$ telnet localhost 11110
-
-
-
-
-which should print something like:
-
-
-
-
-
-QUALCOMM POP v3.33 ready.
-
-
-
-
-Woohoo! It works! The data is sent out over the network encrypted, so the only
-cleartext is over the loopback interfaces of my local box and the POP server.
-
-
-
-----
-
-!!3. Using it With Your Mail Software
-
-
-
-
-
-This section describes setting up your POP client software to use the ssh
-forwarded connection. It's primary focus is fetchmail (ESR's excellent
-mail-retrieval and forwarding utility), since that is the most flexible
-software I have found for dealing with POP. fetchmail can be found at
-http://www.tuxedo.org/~esr/fetchmail/.
-It will do you a great service to read the excellent documentation that
-comes with fetchmail.
-
-
-
-
-!!3.1 Setting up fetchmail
-
-
-
-
-
-
-The following is my .fetchmailrc
-
-
-
-
-----
-
-defaults
-user msingh is manish
-no rewrite
-poll localhost with protocol pop3 and port 11110:
-preconnect "ssh -C -f msingh@popserver -L 11110:popserver:110 sleep 5"
-password foobar;
-
-----
-
-
-
-Pretty simple, huh? fetchmail has a wealth of commands, but the key ones are
-the preconnect line and the poll option.
-
-
-We're not connecting directly to the POP server, but instead localhost and
-port 11110. The preconnect does the forwarding each time fetchmail is run,
-leaving open the connection for 5 seconds, so fetchmail can make it's own
-connect. The rest fetchmail does itself.
-
-
-So each time you run fetchmail, you're prompted for your ssh password for
-authentication. If you run fetchmail in the background (like I do), it's
-inconvenient to have to do that. Which brings us to the next section.
-
-
-
-
-!!3.2 Automating it all
-
-
-
-
-
-
-ssh can authenticate using many methods. One of these is an RSA public/private
-key pair. You can generate an authentication key for your account using
-ssh-keygen. An authetication key can have a passphrase associated with
-it, or the passphase can be blank. Whether you want a passphrase depends on
-how secure you think the account you are using locally is.
-
-
-If you think your machine is secure, go ahead and have a blank passpharase.
-Then the above .fetchmailrc works just by running fetchmail. You can
-then run fetchmail in daemon mode when you dial up and mail is fetched
-automatically. You're done.
-
-
-However, if you think you need a passphrase, things get more complex. ssh
-can run under control of an __agent__, which can register keys and
-authenticate whatever ssh connections are made under it. So I have this
-script getmail.sh:
-
-
-
-
-----
-
-#!/bin/sh
-ssh-add
-while true; do fetchmail --syslog --invisible; sleep 5m; done
-
-----
-
-
-
-When I dialup, I run:
-
-
-
-
-
-$ ssh-agent getmail.sh
-
-
-
-
-This prompts me for my passphrase once, then checks mail every 5 minutes. When
-the dialup connection is closed, I terminate ssh-agent. (This is automated
-in my ip-up and ip-down scripts)
-
-
-
-
-!!3.3 Not using fetchmail
-
-
-
-
-
-
-What if I can't/don't want to use fetchmail? Pine, Netscape, and some other
-clients have their own POP mechanisms. First, consider using fetchmail! It's
-far more flexible, and mail clients shouldn't be doing that kind of stuff
-anyway. Both Pine and Netscape can be configured to use local mail systems.
-
-
-But if you must, unless your client has a preconnect feature like fetchmail,
-you're going to have to keep the ssh port forward active for the entire
-time you're connected. Which means using sleep 100000000 to keep the
-connection alive. This might not go over well with your network admins.
-
-
-Secondly, some clients (like Netscape) have the port number hardcoded to 110.
-So you need to be root to do port forwarding from privledged ports. This is
-also annoying. But it should work.
-
-
-
-----
-
-!!4. Miscellany
-
-!!4.1 Disclaimer
-
-
-
-
-
-
-There is no guarantee that this document lives up to its intended purpose. This
-is simply provided as a free resource. As such, the author of the information
-provided within cannot make any guarentee that the information is even
-accurate. Use at your own risk.
-
-
-Cryptographic software such as ssh may be subject to certain restrictions,
-depending on where you live. In some countries, you must have a license to use
-such software. If you are unsure of your local laws, please consult someone who
-is familiar with your situation for more information.
-
-
-The use of the information provided in this document is most likely not
-anticipated by your mail service provider. The author does not encourage the
-abuse and misuse of network services, and provides this document for
-informational purposes only. If you are in doubt about whether the use of these
-techniques falls within the service agreement of your mail provider, please
-clear that up beforehand.
-
-
-
-
-!!4.2 Copyright
-
-
-
-
-
-
-This document is copyright (c) 1998 Manish Singh
-<yosh@gimp.org>
-
-Permission is granted to make and distribute verbatim copies of this manual
-provided the copyright notice and this permission notice are preserved on all
-copies.
-
-
-Permission is granted to copy and distribute modified versions of this document
-under the conditions for verbatim copying, provided that this copyright notice
-is included exactly as in the original, and that the entire resulting derived
-work is distributed under the terms of a permission notice identical to this
-one.
-
-
-Permission is granted to copy and distribute translations of this document into
-another language, under the above conditions for modified versions.
-
-
-Commercial redistribution is allowed and encouraged; however, the author would
-like to be notified of any such distributions.
-
-
-All trademarks used in this document are acknowledged as being owned by their
-respective owners.
-
-
-
-
-!!4.3 Acknowledgements
-
-
-
-
-
-
-Special thanks goes to Seth David Schoen
-<schoen@uclink4.berkeley.edu>,
-who enlightened me in the ways of ssh port forwarding
.
-
-
-
-----
+Describe [HowToSecurePOPSSH]
here.