Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] vpn
- From: Scott Courtney <courtney@xxxxxxx>
- Date: Fri, 16 Nov 2001 11:45:09 -0500
- Message-id: <200111161716.MAA21195@xxxxxxxx>
On Friday 16 November 2001 10:16 am, Peter Wiersig wrote:
> On 15. November 2001 16:06 wrote Michael Bartosh:
> > I have used an ssh tunnel as an end user before (my last employer
> > used it along with secureID as a sort of faux vpn) but have never set
> > this up. Does anyone know where I should start, or do you have a url?
>
> "man ssh"
>
> ssh -L <localport>:popserver:pop3 tunnelend.example.com "sleep 3600"
>
Here is a little script that I use to keep a POP3 and SMTP tunnel running more-
or-less continuously:
********************** begin **********************
#!/bin/sh
# Make an SSH connection to 4th.com so that mail can be directly sent
echo "Forwarding localhost:9000 to 4th.com SMTP, localhost:9001 to <remote>.com POP3"
echo "Type exit then Control-C (rapidly) when done."
while `true`; do
ssh -i ~/.ssh/identity -L 9000:localhost:25 -L 9001:localhost:110 <remote>.com
echo "Connection will retry in 5 seconds. Hit Control-C to abort."
sleep 5
done
*************************** end **********************
If the connection is broken, it will wait 5 seconds then re-establish. You need
to have used ssh-keygen to create a key pair, and place the public key into the
authorized_keys file on the remote host. Take Peter's suggestion and read the
ssh and sshd "man" pages for details on the key setup procedure. It's pretty
straightforward.
Peter's use of the POP3 port on the local end is convenient and correct but
requires the script to run as root. I chose two nonprivileged ports (9000 for
SMTP and 9001 for POP3) on my local host so that I can run the script as an
ordinary user.
Rather than sending a "sleep 3600" command, I leave that parameter out so that
I get a login shell on the remote. This is personal preference, because my
web sites live on this server also and so I often use that shell anyway. You
can put the "sleep 3600" command into my version as well, if you wish.
Once you have this running, you set up your mail client to receive POP3 from
"localhost" on port 9001 and to send mail via SMTP to "localhost" port 9000.
Works great with KMail and most other mail clients.
Sometimes the connection will break without the local ssh command detecting it
for a brief time. In that situation, you'll get a one-time error in your mail
client. Just wait a few seconds and try again, because the network traffic that
caused that error message also jogged the local ssh command into terminating
so that the script loop can restart it.
Scott
--
-----------------------+------------------------------------------------------
Scott Courtney | "I don't mind Microsoft making money. I mind them
courtney@xxxxxxx | having a bad operating system." -- Linus Torvalds
http://www.4th.com/ | ("The Rebel Code," NY Times, 21 February 1999)
> On 15. November 2001 16:06 wrote Michael Bartosh:
> > I have used an ssh tunnel as an end user before (my last employer
> > used it along with secureID as a sort of faux vpn) but have never set
> > this up. Does anyone know where I should start, or do you have a url?
>
> "man ssh"
>
> ssh -L <localport>:popserver:pop3 tunnelend.example.com "sleep 3600"
>
Here is a little script that I use to keep a POP3 and SMTP tunnel running more-
or-less continuously:
********************** begin **********************
#!/bin/sh
# Make an SSH connection to 4th.com so that mail can be directly sent
echo "Forwarding localhost:9000 to 4th.com SMTP, localhost:9001 to <remote>.com POP3"
echo "Type exit then Control-C (rapidly) when done."
while `true`; do
ssh -i ~/.ssh/identity -L 9000:localhost:25 -L 9001:localhost:110 <remote>.com
echo "Connection will retry in 5 seconds. Hit Control-C to abort."
sleep 5
done
*************************** end **********************
If the connection is broken, it will wait 5 seconds then re-establish. You need
to have used ssh-keygen to create a key pair, and place the public key into the
authorized_keys file on the remote host. Take Peter's suggestion and read the
ssh and sshd "man" pages for details on the key setup procedure. It's pretty
straightforward.
Peter's use of the POP3 port on the local end is convenient and correct but
requires the script to run as root. I chose two nonprivileged ports (9000 for
SMTP and 9001 for POP3) on my local host so that I can run the script as an
ordinary user.
Rather than sending a "sleep 3600" command, I leave that parameter out so that
I get a login shell on the remote. This is personal preference, because my
web sites live on this server also and so I often use that shell anyway. You
can put the "sleep 3600" command into my version as well, if you wish.
Once you have this running, you set up your mail client to receive POP3 from
"localhost" on port 9001 and to send mail via SMTP to "localhost" port 9000.
Works great with KMail and most other mail clients.
Sometimes the connection will break without the local ssh command detecting it
for a brief time. In that situation, you'll get a one-time error in your mail
client. Just wait a few seconds and try again, because the network traffic that
caused that error message also jogged the local ssh command into terminating
so that the script loop can restart it.
Scott
--
-----------------------+------------------------------------------------------
Scott Courtney | "I don't mind Microsoft making money. I mind them
courtney@xxxxxxx | having a bad operating system." -- Linus Torvalds
http://www.4th.com/ | ("The Rebel Code," NY Times, 21 February 1999)
| < Previous | Next > |