Re: launchd agent for securing mail through ssh tunnel
Re: launchd agent for securing mail through ssh tunnel
- Subject: Re: launchd agent for securing mail through ssh tunnel
- From: Nicola Vitacolonna <email@hidden>
- Date: Thu, 19 Apr 2007 21:25:17 +0200
Hi,
I have finally been able to make it work! I post my solution because
I think it may be interesting for others - there are a couple of
points about which I have found no discussion on the web (I am using
Mac OS X Tiger).
First of all, as it has already pointed out, a workaround is needed
to make ssh and launchd interoperate: a tunnel established with -L, e.g.
ssh -L 1200:localhost:25 ...
does not work properly within launchd. The workaround consists in
connecting the std in/out of the processes and adding a command (I
have used nc) in the public key on the server, which forwards the
connection to the mail server. Since this topic is easily found by
Google I will step forward.
My plist looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://
www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>my.smtp.mail.service</string>
<key>OnDemand</key>
<true/>
<key>Program</key>
<string>/usr/bin/ssh</string>
<key>ProgramArguments</key>
<array>
<string>ssh</string>
<string>-T</string>
<string>-i</string>
<string>/Users/myself/.ssh/my-ssh-key</string>
<string>myself@ my.mail.server</string>
</array>
<key>RunAtLoad</key>
<false/>
<key>ServiceDescription</key>
<string>SSH tunnel from localhost:1200 to my.mail.server:25</string>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>1200</string>
<key>SockType</key>
<string>stream</string>
</dict>
</dict>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
<!-- <key>InitGroups</key>
<true/> -->
<key>StandardErrorPath</key>
<string>/dev/null</string>
</dict>
</plist>
Based on my tests, I can make a few remarks:
1) the inetdCompatibility is mandatory, and Wait must be false;
2) the InitGroups key may be either true or false (in my tests it
does not make any difference).
3) IMPORTANT: the StandardErrorPath key is mandatory (that's what I
was missing!).
As soon as I have redirected the standard error elsewhere, things
have started to work flawlessly.
The plist can be put in a user's ~/Library/LaunchAgents folder, of
course, and loaded with the user's permissions.
Nicola
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden