linux-l: ssh forwarding wie?
feustel at rz.fhtw-berlin.de
Fr Apr 10 13:25:42 CEST 1998
On Thu, 9 Apr 1998, Oliver Hillmann wrote:
> seit einigen Dutzend Minuten versuche ich, ssh dazu zu bekommen, dieses
> Port-Forwarding zu machen. Beispielszenario sei ein POP-Server namens
> popserver, zu dessen Port 110 (eben POP3) ich eine durch ssh gesicherte
> Verbindung haben will.
ich glaube, der faq abschnitt c4 von fetchmail erlaeutert das. Haengt
als attachment an der mail.
- -- --- ----< I guess I'm lost in life >---- --- -- -
feustel at rz.fhtw-berlin.de
-------------- nächster Teil --------------
C4. How can I get fetchmail to work with ssh?
We have two recipes for this. The first is a little easier to set up,
but only supports one user at a time.
First, a lightly edited version of a recipe from Masafumi NAKANE:
1. You must have ssh (the ssh client) on the local host and sshd (ssh
server) on the remote mail server. And you have to configure ssh so
you can login to the sshd server host without a password. (Refer to
ssh man page for several authentication methods.)
2. Add something like following to your .fetchmailrc file:
poll mailhost port 1234 via localhost with proto pop3:
preconnect "ssh -f -L 1234:mailhost:110 mailhost sleep 20 </dev/null >/
(Note that 1234 can be an arbitrary port number. Privileged ports can
be specified only by root.) The effect of this ssh command is to
forward connections made to localhost port 1234 (in above example) to
This configuration will enable secure mail transfer. All the
conversation between fetchmail and remote pop server will be
If sshd is not running on the remote mail server, you can specify
intermediate host running it. If you do this, however, communication
between the machine running sshd and the POP server will not be
encrypted. And the preconnect line would be like this:
preconnect "ssh -f -L 1234:mailhost:110 sshdhost sleep 20 </dev/null >/dev/null
You can work this trick with IMAP too, but the port number 110 in the
above would need to become 143.
Second, a recipe from Charlie Brady <cbrady at ind.tansu.com.au>:
Charlie says: "The [previous] recipe certainly works, but the solution
I post here is better in a few respects":
* this method will not fail if two or more users attempt to use
* you are able to use the full facilities of tcpd to control access
* this method does not depend on the preconnect feature of
fetchmail, so can be used for tunneling of other services as well.
Here are the steps:
1. Make sure that the "socket" program is installed on the server
2. Set up an unprivileged account on your system with a .ssh
directory containing an SSH identity file "identity" with no pass
phrase, "identity.pub" and "known_hosts" containing the host key
of your mailhost. Let's call this account "noddy".
3. On mailhost, set up no-password access for noddy at yourhost. Add to
your SSH authorised_keys file:
command="socket localhost 110",no-port-forwarding 1024 ......
where "1024 ......" is the content of noddy's identity.pub file.
4. Create a script /usr/local/bin/ssh.fm and make it executable:
exec ssh -q -C -l your.login.id -e none mailhost socket localhost 110
5. Add an entry in inetd.conf for whatever port you choose to use -
1234 stream tcp nowait noddy /usr/sbin/tcpd /usr/local/bin/ssh.fm
6. Send a HUP signal to your inetd.
Now just use localhost:1234 to access your POP server.
Mehr Informationen über die Mailingliste linux-l