Pine, IMAP, and SSH (SSH, The Secure Shell: The Definitive Gu...

Pine, IMAP, and SSH (SSH, The Secure Shell: The Definitive Guide)of 8http://www.hn.edu.cn/book/NetWork/NetworkingBookshelf_2ndEd/ssh...8/3/2005 2:16 PM11.3. Pine, IMAP, and SSHPine is a popular, Unix-based email program from the University of Washington(http://www.washington.edu/pine/). In addition to handling mail stored and delivered in local files, Pine alsosupports IMAP[136] for accessing remote mailboxes and SMTP[137] for posting mail.[136]Internet Message Access Protocol, RFC-2060.[137]Simple Mail Transfer Protocol, RFC-821.In this case study, we integrate Pine and SSH to solve two common problems:IMAP authenticationIn many cases, IMAP permits a password to be sent in the clear over the network. We discuss how toprotect your password using SSH, but (surprisingly) not by port forwarding.Restricted mail relayingMany ISPs permit their mail and news servers to be accessed only by their customers. In somecircumstances, this restriction may prevent you from legitimately relaying mail through your ISP. Onceagain, SSH comes to the rescue.We also discuss wrapping ssh in a script to avoid Pine connection delays and facilitate access to multiplemailboxes. This discussion will delve into more detail than the previous one on Pine/SSH integration.[Section 4.5.4, "Pine"]11.3.1. Securing IMAP AuthenticationLike SSH, IMAP is a client/server protocol. Your email program (e.g., Pine) is the client, and an IMAPserver process (e.g., imapd ) runs on a remote machine, the IMAP host, to control access to your remotemailbox. Also like SSH, IMAP generally requires you to authenticate before accessing your mailbox,typically by password. Unfortunately, in many cases this password is sent to the IMAP host in the clear overthe network; this represents a security risk (see Figure 11-8).[138][138]IMAP does support more secure methods of authentication, but they aren't widelydeployed.Figure 11-8. A normal IMAP connection

Pine, IMAP, and SSH (SSH, The Secure Shell: The Definitive Guide)of 8http://www.hn.edu.cn/book/NetWork/NetworkingBookshelf_2ndEd/ssh...8/3/2005 2:16 PMFigure 11-10. Pine/IMAP over SSH, preauthenticatedHere's a sample session that invokes an IMAP server, imapd, through inetd so it runs as root:server% telnet localhost imap* OK localhost IMAP4rev1 v12.261 server ready0 login res password'1 select inbox* 3 EXISTS* 0 RECENT* OK [UIDVALIDITY 964209649] UID validity status* OK [UIDNEXT 4] Predicted next UID* FLAGS (\Answered \Flagged \Deleted \Draft \Seen)* OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent flags1 OK [READ-WRITE] SELECT completed2 logout* BYE imap.example.com IMAP4rev1 server terminating connection2 OK LOGOUT completedAlternatively, in preauthenticated mode, the IMAP server assumes that authentication has already been doneby the program that started the server and that it already has the necessary rights to access the user's mailbox.If you invoke imapd on the command line under a nonroot uid, imapd assumes you have alreadyauthenticated and opens your email inbox. You can then type IMAP commands and access your mailboxwithout authentication:server% /usr/local/sbin/imapd* PREAUTH imap.example.com IMAP4rev1 v12.261 server ready0 select inbox* 3 EXISTS* 0 RECENT* OK [UIDVALIDITY 964209649] UID validity status* OK [UIDNEXT 4] Predicted next UID* FLAGS (\Answered \Flagged \Deleted \Draft \Seen)* OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent flags0 OK [READ-WRITE] SELECT completed1 logout* BYE imap.example.com IMAP4rev1 server terminating connection1 OK LOGOUT completedNotice the PREAUTH response at the beginning of the session, indicating pre-authenticated mode. It is followedby the command select inbox, which causes the IMAP server implicitly to open the inbox of the currentuser without demanding authentication.Now, how does all this relate to Pine? When instructed to access an IMAP mailbox, Pine first attempts to loginto the IMAP host using rsh and to run a preauthenticated instance of imapd directly. If this succeeds, Pinethen converses with the IMAP server over the pipe to rsh and has automatic access to the user's remote inboxwithout further authentication. This is a good idea and very convenient; the only problem is that rsh is veryinsecure. However, you can make Pine use SSH instead.

Pine, IMAP, and SSH (SSH, The Secure Shell: The Definitive Guide)of 8http://www.hn.edu.cn/book/NetWork/NetworkingBookshelf_2ndEd/ssh...8/3/2005 2:16 PM11.3.1.2. Making Pine use SSH instead of rshPine's rsh feature is controlled by three configuration variables in the ~/.pinerc file: rsh-path, rsh-command,and rsh-open-timeout. rsh-path stores the program name for opening a Unix remote shell connection.Normally it is the fully qualified path to the rsh executable (e.g., /usr/ucb/rsh). To make Pine use SSH,instruct it to use the ssh client rather than rsh, setting rsh-path to the location of the SSH client:rsh-path=/usr/local/bin/sshrsh-command represents the Unix command line for opening the remote shell connection: in this case, theIMAP connection to the IMAP host. The value is a printf-style format string with four "%s" conversionspecifications that are automatically filled in at runtime. From first to last, these four specifications stand for:1.2.3.4.The value of rsh-pathThe remote hostnameThe username for accessing your remote mailboxThe connection method; in this case, "imap"For example, the default value of rsh-commandis:"%s %s -l %s exec /etc/r%sd"which can instantiate to:/usr/ucb/rsh imap.example.com -l smith exec /etc/rimapdTo make this work properly with ssh, modify the default format string slightly, adding the -q option for quietmode:rsh-command="%s %s -q -l %s exec /etc/r%sd"This instantiates to:/usr/local/bin/ssh imap.example.com -w -l smith exec /etc/rimapdThe -q option is necessary so that ssh doesn't emit diagnostic messages that may confuse Pine, such as:Warning: Kerberos authentication disabled in SUID client.fwd connect from localhost to local port sshdfwd-2001Pine otherwise tries to interpret these as part of the IMAP protocol. The default IMAP server location of/etc/r %sd becomes /etc/rimapd.The third variable, rsh-open-timeout, sets the number of seconds for Pine to open the remote shellconnection. Leave this setting at its default value, 15, but any integer greater than or equal to 5 is permissible.So finally, the Pine configuration is:rsh-path=/usr/local/bin/sshrsh-command="%s %s -q -l %s exec /etc/r%sd"rsh-open-timeout=

Pine, IMAP, and SSH (SSH, The Secure Shell: The Definitive Guide)of 8http://www.hn.edu.cn/book/NetWork/NetworkingBookshelf_2ndEd/ssh...8/3/2005 2:16 PMRemote Usernames in PineBy the way, it's not mentioned in the Pine manpage or configuration file comments, but if youneed to specify a different username for connecting to a remote mailbox, the syntax is:{hostname/user=jane}mailboxThis causes Pine to call the rsh-command with "jane" as the remote username (i.e., the third%s substitution).Generally, you want to use an SSH authentication method that doesn't require typing a password orpassphrase, such as trusted-host or public-key with an agent. SSH is run behind the scenes by Pine anddoesn't have access to the terminal to prompt you. If you're running the X Window System, ssh can pop upan X widget instead to get input, ssh-askpass, but you probably don't want that either. Pine may makeseveral separate IMAP connections in the course of reading your mail, even if it's all on the same server. Thisis just how the IMAP protocol works.With the previous settings in your ~/.pinerc file and the right kind of SSH authentication in place, you'reready to try Pine over SSH. Just start Pine and open your remote mailbox; if all goes well, it will openwithout prompting for a password.

Pine, IMAP, and SSH (SSH, The Secure Shell: The Definitive Guide)of 8http://www.hn.edu.cn/book/NetWork/NetworkingBookshelf_2ndEd/ssh...8/3/2005 2:16 PM11.3.2. Mail Relaying and News AccessPine uses IMAP to read mail but not to send it. For that, it can either call a local program (such as sendmail) or use an SMTP server. Pine can also be a newsreader and use NNTP (the Network News Transfer Protocol,RFC-977) to contact a news server.An ISP commonly provides NNTP and SMTP servers for its customers when connected to the ISP's network.However, for security and usage control reasons, the ISP generally restricts this access to connectionsoriginating within its own network (including its own dial-up connections). In other words, if you'reconnected to the Internet from elsewhere and try to use your ISP's services, the attempt will probably fail.Access to your usual servers can be blocked by a firewall, or if not, your outgoing mail can bounce with amessage about "no relaying," and the news server rejects you with a message about "unauthorized use."You are authorized to use the services, of course, so what do you do? Use SSH port forwarding! Byforwarding your SMTP and NNTP connections over an SSH session to a machine inside the ISP's network,your connections appear to come from that machine, thus bypassing the address-based restrictions. You canuse separate SSH commands to forward each port:$ ssh -L2025:localhost:25 smtp-server ...$ ssh -L2119:localhost:119 nntp-server ...Alternatively, if you have a shell account on one of the ISP's machines running SSH but can't log into themail or news servers directly, do this:$ ssh -L2025:smtp-server:25 -L2119:nntp-server:119 shell-server ...This is an off-host forwarding, and thus the last leg of the forwarded path isn't protected by SSH. Section9.2.4, "Forwarding Off-Host" But since the reason for this forwarding isn't so much protection as it isbypassing the source-address restriction, that's OK. Your mail messages and news postings are going to betransferred insecurely once you drop them off, anyway. (If you want security for them, you need to sign orencrypt them separately, e.g., with PGP or S/MIME.)In any case, now configure Pine to use the forwarded ports by setting the smtp-server and nntp-serverconfiguration options in your ~/.pinerc file:smtp-server=localhost:2025nntp-server=localhost:211911.3.3. Using a Connection ScriptThe Pine configuration option rsh-path can point not only to rsh or ssh, but also to any other program: mostusefully, a script you've written providing any needed customizations. There are a couple of reasons why youmight need to do this:The rsh-path setting is global, applying to every remote mailbox. That is, Pine tries to use this style ofaccess either for every remote mailbox or for none. If you have multiple remote mailboxes but onlysome of them are accessible via SSH/imapd, this leads to annoyance. Pine falls back to a direct TCPconnection if SSH fails to get an IMAP connection, but you have to wait for it to fail. If the server inquestion is behind a firewall silently blocking the SSH port, this can be a lengthy delay.

Pine, IMAP, and SSH (SSH, The Secure Shell: The Definitive Guide)of 8http://www.hn.edu.cn/book/NetWork/NetworkingBookshelf_2ndEd/ssh...8/3/2005 2:16 PM# your ISP's domain; a common and useful convention.@forward = ('-L',"$smtp_proxy:mail:$smtp",'-L',"$nntp_proxy:news:$nntp");if ($do_forwards);# prepare the arguments to ssh@ssh_argv = ('-a','-x','-q',@forward,"$remoteuser\@$server");# run sshexec $ssh, @ssh_argv, $command;11.2. FTP Forwarding 11.4. Kerberos and SSHCopyright © 2002 O'Reilly & Associates. All rights reserved.

ERROR: syntaxerrorOFFENDING COMMAND: --nostringval--STACK:/Title()/Subject(D:20050803141644)/ModDate()/Keywords(PDFCreator Version 0.8.0)/Creator(D:20050803141644)/CreationDate(sev)/Author-mark-