I intended this to go back to the list, where it could be commented on if
appropriate...

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<[EMAIL PROTECTED]>        Basics: ##.#.       ##.#.  Live Go...
Work:<[EMAIL PROTECTED]>              Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------

---------- Forwarded message ----------
Date: Wed, 14 Feb 2001 01:33:33 -0800 (PST)
From:  <[EMAIL PROTECTED]>
X-Sender: [EMAIL PROTECTED]
To: Peter Jay Salzman <[EMAIL PROTECTED]>
Subject: Re: [vox-tech] fetchmail and ssh
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID:
    <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Tue, 13 Feb 2001, Peter Jay Salzman wrote:

> ok, jeff, call me dumb...

never.  does not compute.

> 
> On Tue 13 Feb 01,  3:37 AM, [EMAIL PROTECTED] said: 
> > On Tue, 13 Feb 2001, Peter Jay Salzman wrote:
> > 
> > > ok, i've been at this for awhile; time to get help.
> > > 
> > > i'm trying to get fetchmail to send my password securely.  this is what i've
> > > tried for .fetchmailrc:
> > > 
> > > poll belial.ucdavis.edu with protocol pop3 and port 11110:
> > > preconnect "ssh -f belial.ucdavis.edu -L 11110:belial.ucdavis.edu:110 
>belial.ucdavis.edu sleep 20"
> > > password XXXX;
> > > 
> > > and:
> > > 
> > > poll belial.ucdavis.edu via localhost port 1234 with proto pop3:
> > > preconnect "ssh -f -L 1234:belial.ucdavis.edu:110 belial.ucdavis.edu sleep 20 
></dev/null >/dev/null"
> > > password XXXX;
> > > 
> > > and a few variations on these two themes. i'm getting the same error message:
> > > 
> > > fetchmail: starting fetchmail 5.5.3 daemon
> > > fetchmail: 5.5.3 querying belial.ucdavis.edu (protocol POP3) at Tue Feb 13 
>01:09:20 2001
> > > You have no controlling tty.  Cannot read passphrase.
> > > fetchmail: pre-connection command failed with status 65280
> > > fetchmail: Query status=5 (SYNTAX)
> > > 
> > > i'm sure i have a few hurdles to jump here.  the first one is the no
> > > controlling tty one.   can someone help me out with this?
> > 
> > You must setup an authorization key that allows connections to belial
> > without entering any verification (i.e. have a private key with no
> > passphrase for [EMAIL PROTECTED], have corresponding public key in
> > /home/p/.ssh/authorized_keys).  That should get rid of the complaint about
> > no controlling tty.
> 
> i've read this a few times, and it still makes no sense to me.
> 
> maybe the problem is that i didn't know you CAN have a private key without a
> passphrase.   how does one "get one of these"?   i can certainly to a
> 
> gpg --key-gen
> 
> but i really don't want 2 keys if i don't need them.  and i don't think
> it'll accept a null passphrase.

I haven't used gpg yet.  *duck*  I don't know about the interchangeability
of ssh keys with gpg keys, either.

However, I have had no problem using ssh-keygen to make keys without
passphrases.

Your comment does hint at something I find a little odd, though.  I don't
use the same private key on more than one system, in case one of them gets
compromised... particularly where one system is more exposed than the
other.  That is, I treat the key as the identity of user@host, not
[EMAIL PROTECTED]  There probably is value in having a generic
private key for gpg identification, but once the account that contains it
gets cracked, the biggest hurdle in cracking your key is already done. 

> isn't there a better option?

I am not sure what you want: to have your cake and eat it too? :)

>From the errors you were seeing, I am assuming you want an automated
mechanism to access services on belial from satan.  What is different
between putting a passphrase in a configuration file, versus not having a
passphrase for the key at all?  If p@satan gets cracked, then either way
they can get to p@belial from p@satan, so automating the mail transfer
implies that you will have to clean up both systems if p@satan gets
cracked.

Note that having unrestricted access from satan to belial is accomplished
by putting p@satan's public key in p@belial:/.ssh/authorized_keys, but
says nothing about p@belial's access to p@satan.

If you want the passphrase, and are willing to type it in every single
time you get mail, then I would run fetchmail manually.  That may be
appropriate for ssh access from p@belial to p@satan, since belial is not
behind a firewall, and you don't have a need to forego that extra
security there. But firewalls with holes in them for public services
are not 100% trustworthy either. :)

Fortunately even the use of ssh without any passphrases reduces your
chances of getting cracked because of the decreased sniffability.

> > You probably also need to add a "-l p" (say, between the "-f" and "-L" to
> > go from user [EMAIL PROTECTED] to user p@belial.
>  
> this is only for user p on satan, and collecting email as p on belial.  i
> don't really care about root's email on that system.

Okay.  No "-l" option.  I have been assuming you ran it as a daemon
(root).

> sorry for being so boneheaded!  this is definitely out of my sphere of
> knowledge.

I just happen to play with ssh... only slightly less bone in that part of
my head. The important thing to keep in mind is that the value of a
private key lies primarily in its privateness.  The passphrase is the
second line of defense, and is weakened by the temptation to shorten it
since you use it a lot.

I'm still trying to find references for the relationship between SSH and
SSL, other than the fact that SSH happens to use the SSL library.  I
thought that was simply one more possible encryption system... but perhaps
not.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<[EMAIL PROTECTED]>        Basics: ##.#.       ##.#.  Live Go...
Work:<[EMAIL PROTECTED]>              Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------


Reply via email to