DSL logs
Mitchell Patenaude
mrp at sonic.net
Thu Jan 27 00:43:04 PST 2000
On Wed, Jan 26, 2000 at 11:10:54PM -0800, Thomas A. Rice wrote:
> Devin,
> Have you actually got a set-up like this working?
> I got non-ssh fetchmail working easily, but the following
> (excerpt)
> poll pop.sonic.net via localhost port 1234 with proto POP3:
> preconnect "ssh -f -L 1234:pop.sonic.net:110 bolt.sonic.net sleep 60";
> gives an error:
>
> [tar at localhost tar]$ fetchmail -v
> fetchmail: 5.0.0 querying pop.sonic.net (protocol POP3) at Wed, 26 Jan 2000 23:08:40 -0800 (PST)
> tar at bolt.sonic.net's password:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> fetchmail: POP3 connection to pop.sonic.net failed: Connection refused
> fetchmail: Query status=2
> fetchmail: normal termination, status 2
Your problem is that ssh is stopping to prompt for a password, and that
isn't going to work. You need to get ssh to let you in on RSA/.shosts
authentication, so it doesn't require a password.
However unless you're coming from outside sonic's network, Eric made
a good point. Bolt (as the shell server) is a lot more likely to
be compromised than the routers or switches or the mail server, since
it has people on it all the time. None of those others allow shell
access to normal users. If Bolt is compromised, then an attacker
*could* sniff your password with this scheme, whereas they wouldn't
be able to if you just did a direct, unecrypted connection to the
pop server. (I'll leave it to someone else to explain the security
advantages of switched networks when sniffing is suspected).
-- Mitch
More information about the talk
mailing list