[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: ssh port forwarding for imap

From: Cameron Simpson <cs zip com au>
To: Getting started with Red Hat Linux <redhat-install-list redhat com>
Subject: Re: ssh port forwarding for imap
Date: Tue, 29 Nov 2005 15:36:20 +1100

On 28Nov2005 19:51, Harold Hallikainen <harold hallikainen com> wrote:
| I've got ssh port forwarding working so I can use Thunderbird to get to my
| imap server. However, starting a terminal, doing ssh, etc. seems a little
| clunky. Is there some automatic way (maybe even telling Thunderbird to use
| ssh tunneling) to do this?

Telling thunderbird... probably not.
But you could make yourself a special (passphraseless, locked down) ssh key
for the portforward and run one up at log (or boot, if it's a personal
machine) time.

Make a phraseless key:

    ssh-keygen -t dsa -f ~/.ssh/id_dsa_portfwd

Press Enter twice to use no passphrase.

Install the public half in your authorised_keys file on the target server,
prefixing the line with a fixed do nothing command, for example:

    command="while sleep 60; do echo .; done",no-pty,no-X11-forwarding,no-agent-forwarding,permitopen="127.0.0.1:143" ...

This doesn't let that key run any commands or do other things, and
permits only a single port forward.

See "man sshd" for details, under the heading "AUTHORIZED_KEYS FILE FORMAT".

The issue here is this: because this key requires no passphrase, it is
usable on its own.  This is convenient for your batch-mode situation,
but also means that if someone gets the key they can use it - your other
keys require a pass phrase to use.  Therefore it is important that it
can do exactly one thing at the far end, specificly: nothing. It will
run your port specified forwards.

Then run up the port forward ssh:

    ssh -f -i $HOME/.ssh/id_dsa_portfwd -L 1143:127.0.0.1:443 remotehost

You will need to experiment a bit interactively until you have this
right of course.

WARNING:
Note that as described above, passphraseless keys have the potential
to be a significant security hole. be sure you understand what you're
allowing and what you're not allowing (and exactly what you have said on
config files to ensure these things) before deploying this setup for real.

Cheers,
--
Cameron Simpson <cs zip com au> DoD#743
http://www.cskk.ezoshosting.com/cs/

The only thing necessary for the triumph of evil is for good men to do nothing.
        - Edmund Burke (1729-1797)

Follow-Ups:
- Re: ssh port forwarding for imap
  - From: Harold Hallikainen

References:
- ssh port forwarding for imap
  - From: Harold Hallikainen

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]