ssh port forwarding for imap

Harold Hallikainen harold at hallikainen.com
Wed Nov 30 00:16:32 UTC 2005


> On 28Nov2005 19:51, Harold Hallikainen <harold at hallikainen.com> wrote:
> | I've got ssh port forwarding working so I can use Thunderbird to get to
> my
> | imap server. However, starting a terminal, doing ssh, etc. seems a
> little
> | clunky. Is there some automatic way (maybe even telling Thunderbird to
> use
> | ssh tunneling) to do this?
>
> Telling thunderbird... probably not.
> But you could make yourself a special (passphraseless, locked down) ssh
> key
> for the portforward and run one up at log (or boot, if it's a personal
> machine) time.
>
> Make a phraseless key:
>
>     ssh-keygen -t dsa -f ~/.ssh/id_dsa_portfwd
>
> Press Enter twice to use no passphrase.
>
> Install the public half in your authorised_keys file on the target server,
> prefixing the line with a fixed do nothing command, for example:
>
>     command="while sleep 60; do echo .;
> done",no-pty,no-X11-forwarding,no-agent-forwarding,permitopen="127.0.0.1:143"
> ...
>
> This doesn't let that key run any commands or do other things, and
> permits only a single port forward.
>
> See "man sshd" for details, under the heading "AUTHORIZED_KEYS FILE
> FORMAT".
>
> The issue here is this: because this key requires no passphrase, it is
> usable on its own.  This is convenient for your batch-mode situation,
> but also means that if someone gets the key they can use it - your other
> keys require a pass phrase to use.  Therefore it is important that it
> can do exactly one thing at the far end, specificly: nothing. It will
> run your port specified forwards.
>
> Then run up the port forward ssh:
>
>     ssh -f -i $HOME/.ssh/id_dsa_portfwd -L 1143:127.0.0.1:443 remotehost
>
> You will need to experiment a bit interactively until you have this
> right of course.
>
> WARNING:
> Note that as described above, passphraseless keys have the potential
> to be a significant security hole. be sure you understand what you're
> allowing and what you're not allowing (and exactly what you have said on
> config files to ensure these things) before deploying this setup for real.
>
> Cheers,
> --
> Cameron Simpson <cs at zip.com.au> DoD#743
> http://www.cskk.ezoshosting.com/cs/
>


Thanks for the ideas! I'll give them a try.

Harold


-- 
FCC Rules Updated Daily at http://www.hallikainen.com




More information about the Redhat-install-list mailing list