On Fri, 12 Oct 2001, ME wrote:
> On Thu, 11 Oct 2001, Matt Roper wrote:
> > I am trying to find a secure way to have the box that I use as a mail
> > server go download all my @ucdavis email from the UCD mail server. My
> > plan is to use fetchmail with an ssh preconnect string to accomplish
> > this. I believe that my .fetchmailrc file should have an entry that
> > looks something like the following:
> >
> > poll yellow.ucdavis.edu via localhost port 1234 with proto pop3:
> > user 'mattrope' there with password 'XXXXXXX' is mattrope here
> > preconnect "ssh -f -q -L 1234:yellow.ucdavis.edu:110
> > yellow.ucdavis.edu sleep 20 < /dev/null > /dev/null"
>
> Hmmm...
>
> > The problem with this is that ssh would have to ask for my password
> > every time it tries to connect to the UCD mailserver, which is
> > unacceptable if fetchmail is running in daemon mode. I believe that the
> > way most people overcome this is by generating an ssh keypair with no
> > passphrase and sticking the public key in their ~/.ssh/authorized_keys
> > file on the server. However UCD does not allow students to login to the
> > mail servers directly, so there is no way I can put my public key on the
> > server. This seems to rule out the use of public key authentication for
> > establishing a secure connection.
>
> I am not so sure that you can have an ssh client arbitrate a "secure
> session" with a pop3 server (port 110) like that unless you are certain
> the mail server also runs ssh and can allow for redirections with the
> connecting ssh client. If there is really an ssh server on the mail
> server, you may be able to grab your private keys on the server with scp
> and make some guesses on the locations of the keys.
If you don't have shell access, you probably don't have a home
directory. Without a home directory, where would your key be kept?
[...]
> There are many people on this list more skilled than me who might have
> other ideas.
With respect to unsecured public keys, Bill Broadley has discussed using
ssh-agent to allow passphrase entry at bootup. But that won't help if you
can't keep a public key on the server.
I would ask your sysadmin for a solution (preferably), or use expect as ME
suggested.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
