l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2001 Dec 30 17:11

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] Secure Email Access (fetchmail and ssh)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] Secure Email Access (fetchmail and ssh)



I am trying to find a secure way to have the box that I use as a mail
server go download all my @ucdavis email from the UCD mail server.  My
plan is to use fetchmail with an ssh preconnect string to accomplish
this.  I believe that my .fetchmailrc file should have an entry that
looks something like the following:

poll yellow.ucdavis.edu via localhost port 1234 with proto pop3:
    user 'mattrope' there with password 'XXXXXXX' is mattrope here
    preconnect "ssh -f -q -L 1234:yellow.ucdavis.edu:110
    yellow.ucdavis.edu sleep 20 < /dev/null > /dev/null"

The problem with this is that ssh would have to ask for my password
every time it tries to connect to the UCD mailserver, which is
unacceptable if fetchmail is running in daemon mode.  I believe that the
way most people overcome this is by generating an ssh keypair with no
passphrase and sticking the public key in their ~/.ssh/authorized_keys
file on the server.  However UCD does not allow students to login to the
mail servers directly, so there is no way I can put my public key on the
server.  This seems to rule out the use of public key authentication for
establishing a secure connection.

It seems that what I really need is a way to tell ssh what password to
use, either as a command line parameter or an option in ~/.ssh/config.
Does such a parameter/option exist?  I have found no indication of one
in the manpages.  I realize that having my UCD password available in a
configuration file would not be a good thing if my mail server were
cracked, but I think this is probably less of a security risk than
transmitting my password over the internet in cleartext every minute or
so.

If establishing a secure connection via ssh is not possible are there
any other alternatives?  I read a little bit about stunnel, but it
sounds like that is of more use on the server side than the client
side...  I suppose if I really have to, I could try to hack the openssh
source so that it will read a password from the config file and/or
command line.

Any ideas?  Am I just being stupid and overlooking something obvious?  I
would appreciate any insight you could give me.


Matt

-- 

**********************************
* Matt Roper <matt@mattrope.com> *
* http://www.mattrope.com        *
**********************************



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.