When you connect to a POP3 or IMAP email server, you are prompted for your username and password. This authenticates you to the server, allowing you to check and read your email. When you connect to the server remotely, your username, PASSWORD, and email messages are transfered across the network as plaintext. This means that any node on the network between you and the remote email server can easily intercept and access this information. Needless to say, this is a bad thing.
To protect your personal information, you must create a secure tunnel between yourself and the remote email server. If the remote server is running SSH, you can easily do this. This document will show you how. It is assumed that the remote email server is a Unix server.
• STEP 1: Get Plink and PuTTYgen Programs
If you are running a Windows, you must first download a couple of programs from the PuTTY software suite. The first, called Plink, is an SSH client program that allows a Windows machine to run SSH commands in the background. The other, PuTTYgen, is needed to create SSH keys. You can download these programs here. For the sake of this document, let's say you put both the plink.exe and puttygen.exe programs in a C:\PuTTY directory.
• STEP 2: Create SSH Keys
Run the PuTTYgen program. Select SSH2 DSA for the key type. Then click the Generate button. PuTTYgen will have you move your mouse around to create some randomness. When the key has been generated, you must leave the passphrase blank. (Doing so does NOT weaken the security of the tunnel.)
Save both the public and private keys. Let's say you named them both MyPuttyKey. (PuTTYgen will put the PPK extension on your private key.) These two new key files should be located in the C:\PuTTY directory.
If the remote server only uses the SSH1 protocol, you will have to generate an SSH1 key. To keep this document simple, usage of an SSH1 key will not be discussed. Suffice it to say that an SSH1 key will work as well.
• STEP 3: Allow SSH Key Authentication on the Remote Server
First, transfer your PUBLIC key file to your home directory on the remote server. This file will be called MyPuttyKey. DO NOT transfer the MyPuttyKey.PPK file to the remote server, as this is your PRIVATE key and must be kept, well...PRIVATE!
All of what follows in this step will be done on the remote server. Determine if the remote server uses the OpenSSH version of SSH. Run the command man ssh and it will say OpenSSH right at the top if this is the case. If the server is using OpenSSH, as is now the case with most Linux servers, you must convert your PuTTY SSH public key to a format used by OpenSSH. To do so, run the following command:
ssh-keygen -i -f ~/MyPuttyKey > ~/MyOpenSSHKey.pubNow, we must allow SSH authentication using your PuTTY key. Do the following:
mkdir ~/.ssh # Don't worry if this directory already exists. chmod 700 ~/.ssh cat ~/MyOpenSSHKey.pub >> ~/.ssh/authorized_keys2 chmod 600 ~/.ssh/authorized_keys2This will now allow your Windows machine to connect to this remote server using SSH automatically!
On the other hand, if the remote server uses an SSH.com version of SSH, as is the case with many propriety Unix servers and older Linux servers, you will have to use a different process to allow authentication.
Run the following commands on the remote server:
mkdir ~/.ssh2 # Don't worry if this directory already exists. chmod 700 ~/.ssh2 cp ~/MyPuttyKey ~/.ssh2/MyPuttyKey.pub chmod 600 ~/.ssh2/MyPuttyKey.pub echo "Key MyPuttyKey.pub" >> ~/.ssh2/authorization chmod 600 ~/.ssh2/authorization
Notice that for the SSH.com version of SSH, we are using the public key originally generated by PuTTY. You do not need to convert it to a new format as you must do with the OpenSSH version of SSH.
• STEP 4: Test the SSH Connection
Let's test the SSH connection now. Open a DOS box. Run the following commands:
c: cd \PuTTY plink -ssh -2 -i MyPuttyKey.PPK user@hostReplace user with your remote username and host with the full hostname of the remote server.
If plink is able to connect to the remote server, it may ask you if you want to store the server's host key. You must store the key for the tunnel to work. Plink should now log into the remote server. You should not need to type in your password. If plink asked you for your password, then something went wrong with STEP 3. Go back and read through STEP3 again, and try to fix the problem.
• STEP 5: Write a Batch Program
Next, you must write a batch program that uses plink to create the secure tunnel. Here's a sample batch program that will work:
@echo off C:\PuTTY\plink -ssh -2 -batch -i C:\PuTTY\MyPuttyKey.PPK -L 110:host:110 user@host "echo $$ > ~/EmailTunnel.txt ; while [ $$ == `cat ~/EmailTunnel.txt` ]; do sleep 60; done"
Replace both occurrences of host with the full hostname of the remote server. Replace user with your remote username.
POP3 uses port 110. That is you see the number 110 twice above. If you are using the IMAP protocol instead of POP3, change both occurences of 110 to 143.
The odd looking Unix command wrapped in quotes will work well for Linux servers, making sure that only one copy of the tunnel is running on the remote server at a time. If you have trouble with this command, or if the batch program terminates right after logging into the remote server, then just make the remote command an infinite loop that sleeps for 60 seconds (using a syntax appropriate to your remote shell).
Save the batch program into a C:\PuTTY\email_tunnel.bat file. Now, run the email_tunnel.bat program. It should tell you that it is authentication with your public key, and then it will appear to do nothing. This means that the secure tunnel is up and running. If you had to type anything when you ran the batch program, then something went wrong in STEPS 3 and 4. To help you diagnose the problem, you can add the -v option to the plink command, which will provide you with more information.
• STEP 6: Configure the Email Program
The next step is to use the secure tunnel with your email program. Right now your email program is configured to connect directly to the remote host. Change its configuration to connect to localhost instead. (If localhost doesn't work for you, try connecting to 127.0.0.1). This will route all the traffic of your email program through your secure tunnel, protecting your personal information!
If your email program says that the connection was refused when you check your mail, then something is wrong with the tunnel.
• STEP 7: Running the Tunnel
You have a number of options available to you for running the tunnel. The easiest method is to create a shortcut to your batch program, and run that manually whenever you boot your computer.
If you want Windows to run this shortcut automatically, put it in your Startup Folder.
If you want to get really fancy, and are running WindowsNT, Windows 2000, or Windows XP, you can have the tunnel run in the background as a Windows Service. Please, read the instructions for this thouroughly before you jump into it. If is a fairly involved process.
To create a Service, you must first download the Windows Resource Kit from Microsoft. Search for Resource Kit at Microsoft Dowloads and install the one that is appropriate to your version of Windows. In the Resource Kit there is a program called srvany.exe used to create a new Windows Service.
To add the Service to the Windows Registry run the following command:
instsrv EmailTunnel PATH\srvany.exeChange PATH to the full path of the srvany program. For example, this PATH is probably C:\"Program Files\Windows Resource Kits"\Tools.
Next, run the regedit program. Do the following:
Now, open the Administrative Tools folder, and open the list of Services. (You can find this either under the Start Menu or the Control Panel.) Open the Properties for the EmailTunnel service and change it to use your Windows user account and password. Set the service to be started Automatically.
Start the service. The tunnel should now be running. Test it with your email program. If all was successful, the tunnel will start automatically and run in the background whenever you boot your computer. Your mileage may vary with the Windows Service, however. If the tunnel is idle for a long period of time, or if your network is flaky, the network connection the tunnel uses will die. If this happens frequently, having the secure tunnel run as a Service may be inconvenient, as the process to restart the Service can be tedious. In that case, you might want to stick with the batch program instead.
• STEP 1: Generate SSH Keys
Run the following command on the local host:
ssh-keygen -t dsa
When prompted to enter a password, just hit enter for an empty passphrase.
• STEP 2: Allow SSH Key Authentication on the Remote Server
Copy your public key file, probably ~/.ssh/id_dsa.pub, to your home directory on the remote server.
For the OpenSSH version of SSH on the remote server:
On the remote server, run the following commands.
mkdir ~/.ssh # Don't worry if this directory already exists. chmod 700 ~/.ssh cat ~/id_dsa.pub >> ~/.ssh/authorized_keys2 chmod 600 ~/.ssh/authorized_keys2
For the SSH.com version of SSH on the remote server:
First, you have to convert your OpenSSH key to one having the SSH.com format. Do the following on the local machine.
ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/ssh_commercial_id_dsa.pub
Copy this new key, the ~/ssh_commercial_id_dsa.pub file, to your home directory on the remote server.
Now, on the remote server, run the following commands.
mkdir ~/.ssh2 # Don't worry if this directory already exists. chmod 700 ~/.ssh2 cp ~/ssh_commercial_id_dsa.pub >> ~/.ssh2 chmod 600 ~/.ssh/ssh_commercial_id_dsa.pub echo "Key ssh_commercial_id_dsa.pub" >> ~/.ssh2/authorization chmod 600 ~/.ssh2/authorization
Now, for either version, test to make sure that SSH connects to the remote server automatically by running the following command on the local machine:
ssh user@host
Replace user with your remote username and host with the remote hostname. This should log you into the remote server without the necessity of typing your password.
• STEP 3: Create the SSH Tunnel
ssh -f -l user -g -L110:host:110 host "echo $$ > ~/EmailTunnel.txt; while [ $$ == \`cat ~/EmailTunnel.txt\` ]; do sleep 60; done"
Replace both occurrences of host with the full hostname of the remote server. Replace user with your remote username.
POP3 uses port 110. That is you see the number 110 twice above. If you are using the IMAP protocol instead of POP3, change both occurences of 110 to 143.
The odd looking Unix command wrapped in quotes will work well for Linux servers, making sure that only one copy of the tunnel is running on the remote server at a time. If you have trouble with this command, or if the command terminates right after logging into the remote server, then just make the remote command an infinite loop that sleeps for 60 seconds (using a syntax appropriate to your remote shell).
Once this tunnel is up and running, you can configure your email program to connect to the local Linux machine, which will tunnel all your POP3 or IMAP traffic securely to the remote email server.
First of all, the tunnel will not run forever. This is especially true if you network connection is flaky. You mave have to stop and restart your secure tunnel. Do this if you are getting a Connection Refused error in your email program.
This secure tunnel is only for your POP3 or IMAP traffic. This pertains to your incoming email. Your email program is probably using SMTP for outgoing messages. If so, any mail you send is traveling across the network insecurely. You can set up a secure tunnel on the SMTP port (25) to protect your outgoing email messages, but this tunnel will only be between you and your email server, NOT between you and the recepient of the message! To secure your outgoing email, you should use a privacy program like PGP or GPG.
The biggest advantage of a POP3 or IMAP tunnel is the protection of your PASSWORD. Without a secure tunnel, your account on the remote server can be easily compromised, which in turn can compromise the security of the entire server! Please, use a secure tunnel.
If fact, you can create a secure tunnel using SSH for any protocol that uses TCP. One such protocol ripe for a secure tunnel is CVS, which also uses a password for authentication.
See also: HOWTO: SSH Port Forwarding.
If this document is confusing, or if you are experiencing problems, please email Adam with your comments or questions.
| Copyright (C) 2003 Adam P. Whitney |