[ Team LiB ] Previous Section Next Section

Recipe 8.16 Securing POP/IMAP with SSH and Pine

8.16.1 Problem

You want to read mail on a POP or IMAP mail server securely using Pine, with automatic authentication. The mail server machine runs an SSH daemon.

8.16.2 Solution

Use Pine's built-in SSH subprocess feature, together with SSH public-key authentica tion and ssh-agent.

  1. Set up SSH public-key authentication with the mail server machine. [Recipe 6.4]

  2. Set up the SSH agent. [Recipe 6.9]

  3. Set up the SSH authentication in your ~/.pinerc file:

    inbox-path={mailserver/imap/user=username}inbox
    ssh-path=/usr/bin/ssh
  4. Simply run pine, and it should automatically open your remote mailbox without prompting for a password or any other authentication credentials.

8.16.3 Discussion

Suppose your mail server is mail.server.net, and your account there is joe. First, arrange for public-key authentication to your login account on the server [Recipe 6.4] using ssh-agent. [Recipe 6.9] Verify that this works smoothly, e.g., you have all the necessary user and host keys in place, so that you can execute a command like this:

$ ssh -l joe mail.server.net echo FOO
FOO

If you see any password or passphrase prompts, doublecheck your public key and ssh-agent setup. If you are prompted to accept the mail server's SSH host key, get this out of the way as well. The preceding ssh command must succeed uninterrupted for Pine/SSH integration to work.

Next, log into the mail server machine and locate the mail server program.[2] Pine assumes its location is /etc/rimapd. If it's not there, other likely locations are:

[2] We will assume here that it's an IMAP server. For a POP server, simply substitute "POP" for "IMAP"—and "pop" for "imap"—in the subsequent discussion.

/usr/sbin/imapd
/usr/local/sbin/imapd

Test the IMAP server by running it; you should see something similar to this:

$ /usr/sbin/imapd
* PREAUTH [CAPABILITY IMAP4REV1 IDLE NAMESPACE]
Pre-authenticated user joe client.bar.org ...

To stop the program, type:

0 logout

or ctrl-D, or ctrl-C.

Now, edit your ~/.pinerc file and make the following setting:

inbox-path={mail.server.net/imap/user=joe}inbox
ssh-path=/usr/bin/ssh

(or whatever the path to your SSH client is; run which ssh on your client machine if you're not sure).

If your server program was not in the default location (/etc/rimapd), point to it with the ssh-command setting:

ssh-command="%s %s -l %s exec /usr/sbin/%sd"

The final argument, /usr/sbin/%sd, must expand to the path to the IMAP daemon when the final "%s" expands to "imap". (So in this case your path is /usr/sbin/imapd.)

Note that you may need to find the existing settings in ~/.pinerc and change them, rather than add new ones. Also make sure the ssh-timeout parameter has not been set to 0, which disables Pine's use of SSH.

Now you're all set; simply run Pine:

$ pine

and it should automatically open your remote mailbox without prompting for further authentication. If it doesn't work, run the following command manually on the client machine:

$ /usr/bin/ssh mail.server.net -l joe exec /usr/sbin/imapd

(modified to match the settings you made above), and verify that this starts the remote server program. If not, you have further debugging to do.

Now, why does automatic authentication work? Because your ssh command starts the server as yourself in your account on the mail server machine, rather than as root by the system. This runs the IMAP server in pre-authenticated mode, and simply accesses the mail of the account under which it runs. So, the ssh subprocess gets you single-signon for your mail. That is, once you have SSH authorization to log into the mail server, you don't need to authenticate again via password to access your mail.

This method of mail access can be slow. If you're using IMAP and have multiple mail folders, each time you change folders Pine will create a new IMAP connection, which now involves setting up a complete SSH connection. However, this is a matter of implementation—ideally we'd establish a single SSH connection to the server, and then have a command that quickly establishes a new SSH channel to the server via the existing connection. The free SSH implementation lsh in fact has this capability; see its lsh -G and lshg commands.

Notes:

  • For concreteness we suggested SSH public-key authentication with ssh-agent, but any form of automatic SSH authentication will work, such as Kerberos [Recipe 4.14], hostbased [Recipe 6.8], etc.

  • Although this recipe is written for Pine, you can adapt the same technique for any mail client that can connect to its server via an arbitrary external program.

8.16.4 See Also

pine(1). The LSH home page is http://www.lysator.liu.se/~nisse/lsh .

    [ Team LiB ] Previous Section Next Section