linux-l: ssh forwarding wie?

Fr Apr 10 13:25:42 CEST 1998

On Thu, 9 Apr 1998, Oliver Hillmann wrote:

> Hallo,
> 
> seit einigen Dutzend Minuten versuche ich, ssh dazu zu bekommen, dieses
> Port-Forwarding zu machen. Beispielszenario sei ein POP-Server namens
> popserver, zu dessen Port 110 (eben POP3) ich eine durch ssh gesicherte
> Verbindung haben will.

Hi,

  ich glaube, der faq abschnitt c4 von fetchmail erlaeutert das. Haengt 
als attachment an der mail.

Ciao
Bjoern

       -   --  --- ----< I guess I'm lost in life >---- ---  --   -

                             Bjoern Feustel
                        feustel at rz.fhtw-berlin.de
-------------- nächster Teil --------------
C4. How can I get fetchmail to work with ssh?

   We have two recipes for this. The first is a little easier to set up,
   but only supports one user at a time.

   First, a lightly edited version of a recipe from Masafumi NAKANE:

   1. You must have ssh (the ssh client) on the local host and sshd (ssh
   server) on the remote mail server. And you have to configure ssh so
   you can login to the sshd server host without a password. (Refer to
   ssh man page for several authentication methods.)

   2. Add something like following to your .fetchmailrc file:

poll mailhost port 1234 via localhost with proto pop3:
        preconnect "ssh -f -L 1234:mailhost:110 mailhost sleep 20 </dev/null >/
dev/null";

   (Note that 1234 can be an arbitrary port number. Privileged ports can
   be specified only by root.) The effect of this ssh command is to
   forward connections made to localhost port 1234 (in above example) to
   mailhost's 110.

   This configuration will enable secure mail transfer. All the
   conversation between fetchmail and remote pop server will be
   encrypted.

   If sshd is not running on the remote mail server, you can specify
   intermediate host running it. If you do this, however, communication
   between the machine running sshd and the POP server will not be
   encrypted. And the preconnect line would be like this:

preconnect "ssh -f -L 1234:mailhost:110 sshdhost sleep 20 </dev/null >/dev/null
"

   You can work this trick with IMAP too, but the port number 110 in the
   above would need to become 143.

   Second, a recipe from Charlie Brady <cbrady at ind.tansu.com.au>:

   Charlie says: "The [previous] recipe certainly works, but the solution
   I post here is better in a few respects":
     * this method will not fail if two or more users attempt to use
       fetchmail simultaneously.
     * you are able to use the full facilities of tcpd to control access
     * this method does not depend on the preconnect feature of
       fetchmail, so can be used for tunneling of other services as well.

   Here are the steps:
    1. Make sure that the "socket" program is installed on the server
       machine.
    2. Set up an unprivileged account on your system with a .ssh
       directory containing an SSH identity file "identity" with no pass
       phrase, "identity.pub" and "known_hosts" containing the host key
       of your mailhost. Let's call this account "noddy".
    3. On mailhost, set up no-password access for noddy at yourhost. Add to
       your SSH authorised_keys file:

command="socket localhost 110",no-port-forwarding 1024 ......
   where "1024 ......" is the content of noddy's identity.pub file.
    4. Create a script /usr/local/bin/ssh.fm and make it executable:

#! /bin/sh
exec ssh -q -C -l your.login.id -e none mailhost socket localhost 110
    5. Add an entry in inetd.conf for whatever port you choose to use -
       say:

1234 stream tcp nowait noddy /usr/sbin/tcpd /usr/local/bin/ssh.fm
    6. Send a HUP signal to your inetd.

   Now just use localhost:1234 to access your POP server.