Re: launchd agent for securing mail through ssh tunnel

13 Apr 2007

      site_archiver@lists.apple.com
Delivered-To: darwin-dev@lists.apple.com
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=iyJpN9vOawvti1SuNqw2H+CgigAiiELcSTiUfxOQZRuDdGMBtHp3LSPgtUxsa0s+cSHDwc7Wi2imrzQJuRCT72i6/whsJMKQmysYzmQm9Q1EFT9vbY7mNoBlhMm4FJSnejXE/vB5ES6OWXl3p5ZApDB2XXoZXrFTBcic96AU8wE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gXsi3R9rwsCUVacC1zprbMBi2YqTMZmQ3wjPMP/ictSm3T56w3Kj8Z5FWUZ5k8f8DetyQTc2AKT80cSuHCSmRjo2wJCq/V5Dcz2lmqXg3tEJwACz+RM1a6Qc32y+BF3JiFGb9So5tfxZjozldFly3XHwe8CRVB3hjoD/L1BdWxc=

Hi,
I use to read email through an ssh tunnel and I want to turn the task
into an on-demand launchd user agent. So far, I have come out with
the following, "nearly working", solution:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://
www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>my.smtp.server</string>
        <key>OnDemand</key>
        <true/>
        <key>Program</key>
        <string>/usr/bin/ssh</string>
        <key>ProgramArguments</key>
        <array>
                <string>ssh</string>
                <string>-i</string>
                <string>/Users/myself/.ssh/my-ssh-key</string>
                <string>-l</string>
                <string>myself</string>
                <string>-N</string>
                <string>-q</string>
                <string>-T</string>
                <string>-o</string>
                <string>Protocol=2</string>
                <string>-o</string>
                <string>ConnectionAttempts=3</string>
                <string>-o</string>
                <string>ServerAliveCountMax=3</string>
                <string>-o</string>
                <string>ServerAliveInterval=5</string>
                <string>-o</string>
                <string>ExitOnForwardFailure=yes</string>
                <string>-L</string>
                <string>1200:localhost:25</string>
                <string>my.smtp.server</string>
        </array>
        <key>RunAtLoad</key>
        <false/>
        <key>ServiceDescription</key>
        <string>SSH tunnel from localhost:1200 to my.smtp.server:25</string>
        <key>Sockets</key>
        <dict>
                <key>Listeners</key>
                <dict>
                        <key>SockServiceName</key>
                        <string>1200</string>
                        <key>SockType</key>
                        <string>stream</string>
                </dict>
        </dict>
</dict>
</plist>
I have a couple of problems, though:
1) The first email sent during a session correctly triggers the ssh
tunnel on, but the mail client (I have tried with Apple Mail and
Thunderbird) hangs on "Connecting to localhost...". If I stop sending
the email and try again (now the tunnel is already active) the mail
is sent. Subsequent messages are also sent without any problem.

Ar you sure that ssh isn't prompting?
2) When I pull out the network cable (e.g., because I change
location), ssh quits after a while (see options ServerAliveInterval
and ServerAliveCountMax); it is respawned by launchd, however, no
matter how long it has been running. Since there is no network
available, ssh exits again, and so repearedly until the job is
eventually removed. So, I have to unload/load the plist when I
connect the cable again.

Remove the RunAtLoad key? I use this with Mail.app, and it works just fine:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
       <key>Label</key>
       <string>my.mail.service</string>
       <key>Program</key>
	<string>/usr/bin/ssh</string>
       <key>ProgramArguments</key>
       <array>
		<string>/usr/bin/ssh</string>
		<string>-L</string>
		<string>9025:mailserver:25</string>
		<string>jpeach@mailserver</string>
		<string>imapd</string>
       </array>
	<key>inetdCompatibility</key>
	<dict>
	    <key>Wait</key>
	    <false/>
	</dict>
	<key>Sockets</key>
	<dict>
	    <key>Listeners</key>
	    <dict>
		<key>SockNodeName</key>
		<string>localhost</string>
		<key>SockServiceName</key>
		<integer>9220</integer>
		<key>SockType</key>
		<string>stream</string>
		<key>SockFamily</key>
		<string>IPv4</string>
	    </dict>
	</dict>
	<key>Debug</key>
	<true/>
</dict>
</plist>

--
James Peach | jorgar@gmail.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list      (Darwin-dev@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl...
On 13/04/07, Nicola Vitacolonna <vitacolo@dimi.uniud.it> wrote:

This email sent to site_archiver@lists.apple.com