SSH Tunnels

From Frotmail Projects
Jump to navigation Jump to search

HOWTO: Sending Email from a Laptop

I own two laptops and one desktop computer, all of which run Linux. Most modern Linux distributions come with postfix and/or sendmail that allows them to send email. Unfortunately, in an attempt to reduce spam, many sysadmins have configured their mail servers not to accept email sent this way.

On a desktop machine you can simply configure your mail client software to use your institute's or your Internet service provider's mail relay. Life is not so easy with a laptop. You have to change the settings in your email client every time you change locations. If you carry your laptop to and from work this could mean changing your settings twice a day.

This web page describes some solutions to this problem using ssh tunnels. In order to implement these solutions you need to be able to access your institute's (company or university) system via ssh and you need to have ssh client software installed on your laptop. The solutions I describe use openssh on Linux, but should be easily modified to use any version of ssh on any operating system, including Microsoft's operating systems using the very good putty ssh software.

A Simple ssh Tunnel

The simplest way to solve this problem is via an ssh tunnel. Suppose your institute's gateway is called gw.ms.com and your institute's SMTP server is called mail.ms.com (these could be the same machine). This solution involves a simple ssh tunnel from your laptop to your SMTP server.

SSH Tunnel

The following command (run as root) will open an ssh tunnel from your laptop to your mail server.

ssh -N -L25:mail.ms.com:25 username@gw.ms.com

After prompting you for your password, ssh will listen on port 25 of your laptop (the smtp port) and connect any incoming connection to port 25 of mail.ms.com. Now, if you configure your mail client (on your laptop) to use the SMTP server "localhost" you will be able to send mail through your institute's email server. To the receiver of the mail, it will appear as if the mail came from mail.ms.com.

The drawback of this solution is that when your laptop becomes disconnected from the Internet for any reason the ssh tunnel will collapse and you will have to run the above command again to reopen the tunnel. Furthermore, ssh requires your password in order to open the tunnel, so you can't easily automate this process by putting it in a startup script or cron job.

Special Purpose Keys, ssh without a Password

It is possible to open an ssh tunnel without a password provided that you're willing to do a bit of configuring beforehand. For this, you will need a special-purpose private/public key pair generated with ssh-keygen.

As root, on your laptop, run the command:

ssh-keygen -t rsa -f ~/.ssh/specialkey

and enter an empty passphrase when prompted. This will create the files ~/.ssh/specialkey (your private key) and ~/.ssh/specialkey.pub (your public key). Leave the first file where it is. From the second file you will make a new special authorized key on your institute's gateway.

The second file (~/.ssh/specialkey.pub) contains some text of the form

ssh-rsa AAAAB3NzaC1kc3MAAAC.........

Copy this text and on the gateway (gw.ms.com) add a line to the file ~/.ssh/authorized_keys2 that looks like this

command="echo Connected!",no-X11-forwarding,no-agent-forwarding,permitopen="mail.ms.com:25" ssh-rsa AAAAB3NzaC1k....

(You may have to create the file ~/.ssh/authorized_keys2.) Now, if you've done everything right you should be able to open an ssh tunnel to your mail server by issuing the command

ssh -N -L25:mail.ms.com:25 username@gw.ms.com

without having to enter your password. Be aware, however, that if hacker gains access to your account on your laptop then they also gain access to your institute's SMTP server and could use this to impersonate you or send spam from this server. This could make your sysadmin very unhappy with you.

Now you can keep your laptop's tunnel open by running a script like the following:

#!/bin/bash

while 1 ;
    ssh -N -L25:mail.ms.com:25 username@gw.ms.com
    sleep 5
done

This script will open an ssh tunnel and when that tunnel collapses for whatever reason it will open it again in 5 seconds. This should be sufficient for personal email. You may want to run this script from your laptop's startup files.

An ssh Tunnel Started by inetd or xinetd

Your ssh tunnel is essentially a service offered to email client software and occasionally this service needs to be restarted. Under Linux, the tool that handles these kinds of services is inetd, or xinetd. These are daemons that listen on a port and when a connection arrives at that port they start a server process to handle that connection. They do this by connecting the server process' stdin and stdout streams to the connection on the incoming port.

From the above description it sounds like it should be easy to make xinetd work with ssh. Unfortunately, that's not the case. The ssh software can be used to tunnel between two ports on different machines or connect the stdin/stdout of processes on two machines but it can't connect stdin/stdout from a process on one machine to a port on another machine.

The workaround for this is to connect the stdin/stdout of a process running on your laptop to the stdin/stdout of a process running on your institute's gateway and then forward that to the SMTP port of your SMTP server.

To make a long story short, add the following to the xinetd configuration file on your laptop and restart the xinetd service.

# description: This uses ssh to tunnel to the mail relay at 
service smtp
{
        socket_type     = stream
        protocol        = tcp
        wait            = no
        user            = root
        disable         = no
        server          = /usr/bin/ssh
        server_args     = -q -T -i /root/.ssh/specialkey username@gw.ms.com
        groups          = yes
        bind            = 127.0.0.1
}

and add this line to the file ~/.ssh/authorized_keys2 on your institute's gateway:

command="nc mail.ms.com smtp",no-X11-forwarding,no-agent-forwarding,no-port-forwarding ssh-rsa AAAAB3NzaC1k.......

When your laptop's mail client tries to send mail, xinetd will make an ssh connection to gw.ms.com and execute the command "nc mail.ms.com smtp" to connect to port 25 (the SMTP port) of mail.ms.com. This requires that the netcat (nc) program be installed on this machine, and be in the user's path. Alternatively, the programs socat or socket can be used instead of netcat. In these cases, you would replace the command above with

command="socat TCP4:mail.ms.com:25"

or

command="socket mail.ms.com 25"

respectively.

That's it! If you have any questions or comments about this then send me email. In particular, if you know how to use ssh with xinetd without requiring the netcat, socat or socket software I would love to hear about it. It would be better to replace socket with telnet (which is standard in most operating sytems) but telnet's information messages seem to get in the way. Mac OS X and/or BSD

Some Mac OS X and BSD instructions were contributed by Stefan Langerman.