Re: [APPL:DarwinDev] launchd agent for securing mail through ssh tunnel
Re: [APPL:DarwinDev] launchd agent for securing mail through ssh tunnel
- Subject: Re: [APPL:DarwinDev] launchd agent for securing mail through ssh tunnel
- From: "Jay A. Kreibich" <email@hidden>
- Date: Fri, 13 Apr 2007 06:51:10 -0500
On Fri, Apr 13, 2007 at 12:13:44PM +0200, Nicola Vitacolonna scratched on the wall:
> Hi,
> I use to read email through an ssh tunnel and I want to turn the task
> into an on-demand launchd user agent. So far, I have come out with
> the following, "nearly working", solution:
> I have a couple of problems, though:
>
> 1) The first email sent during a session correctly triggers the ssh
> tunnel on, but the mail client (I have tried with Apple Mail and
> Thunderbird) hangs on "Connecting to localhost...". If I stop sending
> the email and try again (now the tunnel is already active) the mail
> is sent. Subsequent messages are also sent without any problem.
This isn't as simple as it sounds. The problem is that "servers"
(defined, for the purpose of this conversation, as anything that
allows incoming network connections; in this case the local end of
the ssh tunnel) that want to run "on demand" must be written in a
special way. This is true of launchd, it is also true of launchd's
predecessors, such as inetd and xinetd.
In short, the problem is that launchd has control over the incoming
network connection. When it detects an incoming connection (e.g.
your mail program) it launches the defined on-demand program (your
ssh tunnel). But after that it done, it needs some way to plumb
together the network connection and the newly launched program. This
requires an alternate input/output method in the on-demand server
application.
While sshd (the normal server daemon) supports this mode (-i), the
ssh client does not. So your first connection triggers the startup
of the tunnel, but it doesn't actually work, since the plumbing can't
be connected correctly. The tunnel has started up, however, so
subsequent connections work as expected.
Google for "ssh tunnel inetd" to get some ideas on how people have
worked around this.
> 2) When I pull out the network cable (e.g., because I change
> location), ssh quits after a while (see options ServerAliveInterval
> and ServerAliveCountMax); it is respawned by launchd, however, no
> matter how long it has been running. Since there is no network
> available, ssh exits again, and so repearedly until the job is
> eventually removed. So, I have to unload/load the plist when I
> connect the cable again.
This sounds odd. Without getting into the details, it sounds like
launchd is not properly maintaining control over the ssh process
(which is likely since most ssh tunnels are more of a daemon than a
one-shot deal (required by on-demand); -f can somewhat reproduce this,
but not well). There is also going to be issues if you don't turn
your mail program off when your network connection is gone.
I have a less clear picture of what is going on in this second case.
Perhaps someone else has a better idea.
-j
--
Jay A. Kreibich < J A Y @ K R E I B I.C H >
"'People who live in bamboo houses should not throw pandas.' Jesus said that."
- "The Ninja", www.AskANinja.com, "Special Delivery 10: Pop!Tech 2006"
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden