| christophe barbé on Wed, 3 Jul 2002 09:05:50 -0400 |
|
On Wed, Jul 03, 2002 at 03:32:27AM -0400, gabriel rosenkoetter wrote: > On Tue, Jul 02, 2002 at 10:58:20PM -0400, Jesse Schultz wrote: > > gabriel rosenkoetter wrote: > > >I could easily expand on the SSH PKI rant I've been on today, if > > >people want to hear it > > I do. > > Well, if we've got the time, I'm glad to run through how my own set > up works and what the various pitfalls of using PKI with SSH are. > Sounds like we've got a pretty interesting topic this meeting, so > maybe I'll pull this together with some other crypto-related stuff > and talk about it later in the year. > > Maybe MCT and I could talk about CipherSaber. ;^> It sounds interesting. Unfortunately I could not be there tonight, so I hope you will do that later. > > Even though I pulled us into a tangent on the su thing, I would be > > interested in using certificates with SSH. Also with POP3 if you know > > anything about that. > > Well, POP3 has no internal encryption methods. You can talk POP3 > over an SSL-encrypted channel (and you can call it POP3S if you like > it, but you're in a state of sin when you do ;^>), and you can even > do that, I'm told, when talking to a Microsoft Exchange server, > though I haven't gotten my hands on my employer's yet to try. > > Some MTAs make it easier to hook into this than others. Probably > the easiest way to graft it onto an existing MTA without recompilation > or (more than trival) reconfiguration is stunnel[1]. A more > complicated, though in the long run cheaper, in terms of maintenance, > and more truly secure[2] route would be IPSec. Don't try that on > Linux right now unless you want to learn a whole lot about the > internals of FreeSWAN. (I'd be glad to be corrected and told that > FreeSWAN is easy these days and actually does all of IPSec, but I > think I'd have heard a lot more noise about it by now if that were > the case). With SSH it's easy to forward a port from a remote host to a local host and then use a pop client using this sort-of tunnel. This require a shell account on the remote machine. You also need a mail client allowing you to specify a pre-connect (mutt does) command (to setup the temporary port forwarding). It is also possible to use a script to setup the port forwarding when required (the ssh connexion die when you have use it, so you need to relaunch ssh). I can find the correct syntax if you want, just ask. The best solution to grab your mails in a secure manner is to use IMAPS. This also protect you against MITM attack when setup correctly. I can't understand why not all ISP provide it. DCA.net only provides IMAP, I was very disappointed about that but I guess Verizon do the same. So with DCA.net you have two solutions : Grab your mail in an insecure way (at least fetch it only when your are connected to your DCA link, which is not ever true with a laptop) or pay $5 per month for a shell account. NOTE: Secure mail is especially important with cable-modem (ie. not ADSL) where you share the connexion with your neighborough and then where it is easy to see all passwords. Christophe > > > I like rants :-) > > Heh. > > [1] http://www.stunnel.org/ > [2] IPSec buys you authentication and rekeying, with stunnel you > must trust the remote end of the socket to stay trustworthy, which > isn't necessarily a safe thing to do. > > -- > gabriel rosenkoetter > gr@eclipsed.net -- Christophe Barbé <christophe.barbe@ufies.org> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Cats are intented to teach us that not everything in nature has a function. --Garrison Keillor Attachment:
pgpy8RdapmipS.pgp
|
|