Re: Speaking of ssh->pop

[Brian Hatch <ssh () ifokr org>]

dom () devitto com wrote:

> > > I be ssh challenged.  How do I setup the server
> > > side to accept ssh tunnels and forward them to
> > > the pop server?
> > >
> > > On the client, all we have to do is follow
> > > Crispin's nice little script:
> > >
> > > #!/bin/sh
> > > ssh -C -l crispin -f \
> > >         -L 6666:your.mail.server:110 \
> > >         your.mail.server xbiff -geom +17+690
> > >
> > > Now, what do I have listening at port 110 on
> > > the remote end, POP or ssh?
> >
> > Your (recently upgraded ;-) popper, running
> > of inetd as normal.
> >
> > If people should only be able to connect to it
> > via the ssh forward, tcpd wrap it to accept connections
> > only from localhost and 'your.mail.server' above.
>
> Or use the sshd config file to limit clients (IPs and usernames) that
> can connect.

Let me rephrase:

sshd can be configured in it's sshd_config to allow only certain
ips/users/etc through the Allow directives.  However to force
people to use an ssh forwarding to connect to your POP server,
make sure it's controlled by tcpd in /etc/inetd.conf, similar to
the following:

pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd  ipop3d

and make sure /etc/hosts.allow has

ipop3d: localhost your.mail.server

Then people could only pop 'locally', ie via a mail client that
popped off of localhost, or via an ssh (or other) forwarding.




--
brianhatch () onsight com     Computer (n):
   Systems and              A device designed
   Security Engineer        to speed and
http://www.onsight.com/     automate errors.
                           
Every message PGP signed

Attachment: _bin
Description: