[ Team LiB ] |
Recipe 8.16 Securing POP/IMAP with SSH and Pine8.16.1 ProblemYou want to read mail on a POP or IMAP mail server securely using Pine, with automatic authentication. The mail server machine runs an SSH daemon. 8.16.2 SolutionUse Pine's built-in SSH subprocess feature, together with SSH public-key authentica tion and ssh-agent.
8.16.3 DiscussionSuppose your mail server is mail.server.net, and your account there is joe. First, arrange for public-key authentication to your login account on the server [Recipe 6.4] using ssh-agent. [Recipe 6.9] Verify that this works smoothly, e.g., you have all the necessary user and host keys in place, so that you can execute a command like this: $ ssh -l joe mail.server.net echo FOO FOO If you see any password or passphrase prompts, doublecheck your public key and ssh-agent setup. If you are prompted to accept the mail server's SSH host key, get this out of the way as well. The preceding ssh command must succeed uninterrupted for Pine/SSH integration to work. Next, log into the mail server machine and locate the mail server program.[2] Pine assumes its location is /etc/rimapd. If it's not there, other likely locations are:
Test the IMAP server by running it; you should see something similar to this: $ /usr/sbin/imapd * PREAUTH [CAPABILITY IMAP4REV1 IDLE NAMESPACE] Pre-authenticated user joe client.bar.org ... To stop the program, type: 0 logout or ctrl-D, or ctrl-C. Now, edit your ~/.pinerc file and make the following setting: inbox-path={mail.server.net/imap/user=joe}inbox ssh-path=/usr/bin/ssh (or whatever the path to your SSH client is; run which ssh on your client machine if you're not sure). If your server program was not in the default location (/etc/rimapd), point to it with the ssh-command setting: ssh-command="%s %s -l %s exec /usr/sbin/%sd" The final argument, /usr/sbin/%sd, must expand to the path to the IMAP daemon when the final "%s" expands to "imap". (So in this case your path is /usr/sbin/imapd.) Note that you may need to find the existing settings in ~/.pinerc and change them, rather than add new ones. Also make sure the ssh-timeout parameter has not been set to 0, which disables Pine's use of SSH. Now you're all set; simply run Pine: $ pine and it should automatically open your remote mailbox without prompting for further authentication. If it doesn't work, run the following command manually on the client machine: $ /usr/bin/ssh mail.server.net -l joe exec /usr/sbin/imapd (modified to match the settings you made above), and verify that this starts the remote server program. If not, you have further debugging to do. Now, why does automatic authentication work? Because your ssh command starts the server as yourself in your account on the mail server machine, rather than as root by the system. This runs the IMAP server in pre-authenticated mode, and simply accesses the mail of the account under which it runs. So, the ssh subprocess gets you single-signon for your mail. That is, once you have SSH authorization to log into the mail server, you don't need to authenticate again via password to access your mail. This method of mail access can be slow. If you're using IMAP and have multiple mail folders, each time you change folders Pine will create a new IMAP connection, which now involves setting up a complete SSH connection. However, this is a matter of implementation—ideally we'd establish a single SSH connection to the server, and then have a command that quickly establishes a new SSH channel to the server via the existing connection. The free SSH implementation lsh in fact has this capability; see its lsh -G and lshg commands. Notes:
8.16.4 See Alsopine(1). The LSH home page is http://www.lysator.liu.se/~nisse/lsh . |
[ Team LiB ] |