Re: [APPL:DarwinDev] launchd agent for securing mail through ssh tunnel
Re: [APPL:DarwinDev] launchd agent for securing mail through ssh tunnel
- Subject: Re: [APPL:DarwinDev] launchd agent for securing mail through ssh tunnel
- From: Nicola Vitacolonna <email@hidden>
- Date: Fri, 13 Apr 2007 20:56:08 +0200
On 13/apr/07, at 13:51, Jay A. Kreibich wrote:
On Fri, Apr 13, 2007 at 12:13:44PM +0200, Nicola Vitacolonna
scratched on the wall:
Hi,
I use to read email through an ssh tunnel and I want to turn the task
into an on-demand launchd user agent. So far, I have come out with
the following, "nearly working", solution:
I have a couple of problems, though:
1) The first email sent during a session correctly triggers the ssh
tunnel on, but the mail client (I have tried with Apple Mail and
Thunderbird) hangs on "Connecting to localhost...". If I stop sending
the email and try again (now the tunnel is already active) the mail
is sent. Subsequent messages are also sent without any problem.
This isn't as simple as it sounds. The problem is that "servers"
(defined, for the purpose of this conversation, as anything that
allows incoming network connections; in this case the local end of
the ssh tunnel) that want to run "on demand" must be written in a
special way. This is true of launchd, it is also true of launchd's
predecessors, such as inetd and xinetd.
In short, the problem is that launchd has control over the incoming
network connection. When it detects an incoming connection (e.g.
your mail program) it launches the defined on-demand program (your
ssh tunnel). But after that it done, it needs some way to plumb
together the network connection and the newly launched program.
This
requires an alternate input/output method in the on-demand server
application.
While sshd (the normal server daemon) supports this mode (-i), the
ssh client does not. So your first connection triggers the startup
of the tunnel, but it doesn't actually work, since the plumbing
can't
be connected correctly. The tunnel has started up, however, so
subsequent connections work as expected.
Google for "ssh tunnel inetd" to get some ideas on how people have
worked around this.
Ok, I have found that, with xinetd, you can do something like:
service smtp
{
socket_type = stream
protocol = tcp
wait = no
user = root
disable = no
server = /usr/bin/ssh
server_args = -q -T -i /Users/myself/.ssh/my-key
email@hidden
groups = yes
bind = 127.0.0.1
}
redirecting the connection to the smtp port by issuing a remote
command like
nc localhost smtp
(or socket localhost smtp). I have setup my public key so that my ssh
connection is forwarded to my mail server, but in no way I can
simulate the above with launchd. Is that possible at all? The nearest
I can imagine is along these lines:
[...]
<key>OnDemand</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/ssh</string>
<string>-i</string>
<string>/Users/myself/.ssh/my-key</string>
<string>-q</string>
<string>-T</string>
<string>email@hidden</string>
</array>
<key>RunAtLoad</key>
<false/>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>smtp</string>
<key>SockType</key>
<string>stream</string>
</dict>
</dict>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<true/>
</dict>
</dict>
</plist>
with the disadvantage that it must be run as root, because it is
listening on port 25. But that does not work for me.
Nicola
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden