[gentoo-user] Accessing mailserver with ssh

[gentoo-user] Accessing mailserver with ssh

[Mick]

I do not have telnet installed on my PC, so in troubleshooting a
connection to a mailserver I thought of using ssh.  However, I do not
seem to be able to get a response from the server regarding user login
and password:

==================================================
$ ssh -vv pop.virgin.net -p 110
OpenSSH_4.3p2, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to pop.virgin.net [80.5.182.193] port 110.
debug1: Connection established.
debug1: identity file /home/michael/.ssh/identity type -1
debug1: identity file /home/michael/.ssh/id_rsa type -1
debug1: identity file /home/michael/.ssh/id_dsa type -1
debug1: ssh_exchange_identification: +OK POP3 PROXY server ready
(7.2.073) <8276X22D2588DO16257AD8EXXXXXXXXXXXXX@n074.sc1.cp.net>

==================================================
Then it sits there and does not respond to me typing "user", "pass",
or anything else.  I've tried adding my username before the host
address, but it made no difference.  pop.virgin.net will not respond
to any pop commands (list, stat, etc).  Am I doing this right, or is
it that an ssh client cannot be used instead of telnet to connect to a
mailserver?
-- 
Regards,
Mick
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Alexander Skwar]

Mick wrote:
>  Am I doing this right, or is

No, because:

> it that an ssh client cannot be used instead of telnet to connect to a
> mailserver?

Exactly. I'd suggest to install telnet or nc/netcat.

Alexander Skwar
-- 
It was pity stayed his hand.
"Pity I don't have any more bullets," thought Frito.
-- _Bored_of_the_Rings_, a Harvard Lampoon parody of Tolkein
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Raymond Lewis Rebbeck]

On Sunday, 18 June 2006 3:11, Mick wrote:
> I do not have telnet installed on my PC, so in troubleshooting a
> connection to a mailserver I thought of using ssh.  However, I do not
> seem to be able to get a response from the server regarding user login
> and password:
>
> ==================================================
> $ ssh -vv pop.virgin.net -p 110
> OpenSSH_4.3p2, OpenSSL 0.9.7i 14 Oct 2005
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to pop.virgin.net [80.5.182.193] port 110.
> debug1: Connection established.
> debug1: identity file /home/michael/.ssh/identity type -1
> debug1: identity file /home/michael/.ssh/id_rsa type -1
> debug1: identity file /home/michael/.ssh/id_dsa type -1
> debug1: ssh_exchange_identification: +OK POP3 PROXY server ready
> (7.2.073) <8276X22D2588DO16257AD8EXXXXXXXXXXXXX@n074.sc1.cp.net>
>
> ==================================================
> Then it sits there and does not respond to me typing "user", "pass",
> or anything else.  I've tried adding my username before the host
> address, but it made no difference.  pop.virgin.net will not respond
> to any pop commands (list, stat, etc).  Am I doing this right, or is
> it that an ssh client cannot be used instead of telnet to connect to a
> mailserver?
> --
> Regards,
> Mick

You cannot use an ssh client in this manner.

If you want a telnet client, emerge either netkit-telnetd or telnet-bsd.

-- 
Raymond Lewis Rebbeck
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Mick]

On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:

> You cannot use an ssh client in this manner.
>
> If you want a telnet client, emerge either netkit-telnetd or telnet-bsd.

Thanks for all the replies.  I had not emerged telnet so far because
of potential security reasons.  Is netcat better in that respect?
-- 
Regards,
Mick
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Ow Mun Heng]

On Sat, 2006-06-17 at 20:05 +0000, Mick wrote:
> On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:
> 
> > You cannot use an ssh client in this manner.
> >
> > If you want a telnet client, emerge either netkit-telnetd or telnet-bsd.
> 
> Thanks for all the replies.  I had not emerged telnet so far because
> of potential security reasons.  Is netcat better in that respect?

What makes you think that's it's better than telnet? esp when you see
this during it's emerge

[ebuild   R   ] net-analyzer/netcat-110-r8  USE="crypt
-GAPING_SECURITY_HOLE -ipv6 -static" 0 kB 

ps : Didn't follow the thread, so don't know what you want to achieve/do

> -- 
> Regards,
> Mick
-- 
Ow Mun Heng <Ow.Mun.Heng@wdc.com>

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Raymond Lewis Rebbeck]

On Sunday, 18 June 2006 5:35, Mick wrote:
> On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:
> > You cannot use an ssh client in this manner.
> >
> > If you want a telnet client, emerge either netkit-telnetd or telnet-bsd.
>
> Thanks for all the replies.  I had not emerged telnet so far because
> of potential security reasons.  Is netcat better in that respect?

I believe any potential security problems would only concern you if you were 
running a telnet daemon not just using a client.

-- 
Raymond Lewis Rebbeck
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Mick]

On 17/06/06, Ow Mun Heng <Ow.Mun.Heng@wdc.com> wrote:

> What makes you think that's it's better than telnet? esp when you see
> this during it's emerge
>
> [ebuild   R   ] net-analyzer/netcat-110-r8  USE="crypt
> -GAPING_SECURITY_HOLE -ipv6 -static" 0 kB

Oops!!  You meant its not just a USE flag?  :-))

> ps : Didn't follow the thread, so don't know what you want to achieve/do

Run a <telnet-equivalent> client on my PC to test connection to pop mailserver.
-- 
Regards,
Mick
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Mick]

On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:

> I believe any potential security problems would only concern you if you were
> running a telnet daemon not just using a client.

All telnet apps mentioned in the thread have glsa's about them re:
buffer overflows.  On the other hand I won't be running them for any
great length of time, so it may be OK.
-- 
Regards,
Mick
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Jarry]

On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:

> You cannot use an ssh client in this manner.

But what if mail-server uses secure connection (SSL) and secure
authentication? Could I use ssh-client in such a case? Telnet
would not help...

Jarry

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Hans-Werner Hilse]

Hi,

On Sat, 17 Jun 2006 23:09:57 +0200
Jarry <jarry@gmx.net> wrote:

> On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:
> 
> > You cannot use an ssh client in this manner.
> 
> But what if mail-server uses secure connection (SSL) and secure
> authentication? Could I use ssh-client in such a case? Telnet
> would not help...

The OpenSSL executable has this facility built-in. See "man
openssl-s_client" (it has a basic server, too).

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Alexander Skwar]

Mick wrote:
> On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:
> 
>> You cannot use an ssh client in this manner.
>>
>> If you want a telnet client, emerge either netkit-telnetd or telnet-bsd.
> 
> Thanks for all the replies.  I had not emerged telnet so far because
> of potential security reasons.  Is netcat better in that respect?

I actually know of no security problems with telnet. To which
are you referring (note: telnet, not telnetd)?

Alexander Skwar
-- 
Fry: What's with the eye?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Alexander Skwar]

Ow Mun Heng wrote:

> What makes you think that's it's better than telnet? esp when you see
> this during it's emerge
> 
> [ebuild   R   ] net-analyzer/netcat-110-r8  USE="crypt
> -GAPING_SECURITY_HOLE -ipv6 -static" 0 kB 

What are you talking about? You checked what the USE flags
stand for?

Alexander Skwar
-- 
Fry: What's with the eye?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Raymond Lewis Rebbeck]

On Sunday, 18 June 2006 6:39, Jarry wrote:
> On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:
> > You cannot use an ssh client in this manner.
>
> But what if mail-server uses secure connection (SSL) and secure
> authentication? Could I use ssh-client in such a case? Telnet
> would not help...
>
> Jarry

Well SSH, uses a specific login procedure and cipher set so I very much doubt 
that it can be used effectively for anything apart from SSH.

If you really wanted to use telnet to communicate with servers over SSL then 
it should be possible to hack together a telnet client that encrypts and 
decrypts behind the scenes but otherwise acts like any other telnet client. 
If such a thing doesn't already exist.

-- 
Raymond Lewis Rebbeck
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Alexander Skwar]

Jarry wrote:
> On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:
> 
>> You cannot use an ssh client in this manner.
> 
> But what if mail-server uses secure connection (SSL) and secure
> authentication? Could I use ssh-client in such a case?

No. SSL doesn't have much to do with SSH.

Alexander Skwar
-- 
A likely impossibility is always preferable to an unconvincing possibility.
		-- Aristotle
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Alexander Skwar]

Mick wrote:
> On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:
> 
>> I believe any potential security problems would only concern you if you were
>> running a telnet daemon not just using a client.
> 
> All telnet apps mentioned in the thread have glsa's about them re:
> buffer overflows.

They do?

http://www.gentoo.org/security/en/glsa/

I can't find any *current* GLSAs regarding netcat and telnet.

telnet-bsd: http://security.gentoo.org/glsa/glsa-200504-01.xml 2005 - rather
old. Current Versions in portage are not affected.

netkit-telnet: http://security.gentoo.org/glsa/glsa-200503-36.xml 2005, again.
Fixed in currently available versions.
http://security.gentoo.org/glsa/glsa-200410-03.xml 2004. no comment.

And that's it.

So, I disagree and stand to what I just wrote. I know of no security
problems.

>  On the other hand I won't be running them for any
> great length of time, so it may be OK.

Actually, that's IMO a wrong attitude. Also a short exposure makes you
vulnerable. If the software would be vulnerable, also a short "attack"
might be sufficient to break into your system.

BUT: As there are no GLSAs, I'd say that there are no currently known
security problems.

Alexander Skwar
-- 
<Knghtbrd> glDisable (GL_BUGS);
<Endy> heh
<Endy> Is that in 1.2? :)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Mick]

On 17/06/06, Hans-Werner Hilse <hilse@web.de> wrote:
> Hi,
>
> On Sat, 17 Jun 2006 23:09:57 +0200
> Jarry <jarry@gmx.net> wrote:
>
> > On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:
> >
> > > You cannot use an ssh client in this manner.
> >
> > But what if mail-server uses secure connection (SSL) and secure
> > authentication? Could I use ssh-client in such a case? Telnet
> > would not help...
>
> The OpenSSL executable has this facility built-in. See "man
> openssl-s_client" (it has a basic server, too).

Hmm . . .
=====================================
$ openssl s_client -host pop.gmai.com -port 110      CONNECTED(00000003)
16228:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:601:
=====================================

I guess it may only be good for checking the verification/exchange of SSL certs?
-- 
Regards,
Mick
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Mick]

On 17/06/06, Alexander Skwar <listen@alexander.skwar.name> wrote:

> BUT: As there are no GLSAs, I'd say that there are no currently known
> security problems.

Thanks!

Out of the the apps mentioned in this thread, which one would you
recommend and why (what I'm really trying to find out is how do they
compare)?
-- 
Regards,
Mick
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Hans-Werner Hilse]

Hi,

On Sun, 18 Jun 2006 09:20:53 +0000 Mick <michaelkintzios@gmail.com> wrote:

> On 17/06/06, Hans-Werner Hilse <hilse@web.de> wrote:
> > On Sat, 17 Jun 2006 23:09:57 +0200 Jarry <jarry@gmx.net> wrote:
> > > But what if mail-server uses secure connection (SSL) and secure
> > > authentication? Could I use ssh-client in such a case? Telnet
> > > would not help...
> >
> > The OpenSSL executable has this facility built-in. See "man
> > openssl-s_client" (it has a basic server, too).
> 
> Hmm . . .
> =====================================
> $ openssl s_client -host pop.gmai.com -port 110      CONNECTED(00000003)
> 16228:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:601:
> =====================================
> 
> I guess it may only be good for checking the verification/exchange of SSL certs?

Nope. It acts like a telnet client after establishing an SSL connection:
---snip
hw@sub00421 ~ $ openssl s_client -connect pop.gmail.com:pop3s
CONNECTED(00000003)
[lots of info snipped]
+OK Gpop ready for requests from 123.45.67.89 n23pf2387435nfc
---snip

For your test case: POP3 is usually on port 110, POP3S is usually on
port 995. If the SSL connection isn't set up on connection level at
start, but on an application configured stage afterwards, however,
s_client wouldn't work. An example would be STARTTLS on IMAP (not
IMAPS) and SMTP.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Mick]

On 18/06/06, Hans-Werner Hilse <hilse@web.de> wrote:

> Nope. It acts like a telnet client after establishing an SSL connection:
> ---snip
> hw@sub00421 ~ $ openssl s_client -connect pop.gmail.com:pop3s
> CONNECTED(00000003)
> [lots of info snipped]
> +OK Gpop ready for requests from 123.45.67.89 n23pf2387435nfc
> ---snip
>
> For your test case: POP3 is usually on port 110, POP3S is usually on
> port 995. If the SSL connection isn't set up on connection level at
> start, but on an application configured stage afterwards, however,
> s_client wouldn't work. An example would be STARTTLS on IMAP (not
> IMAPS) and SMTP.

Excellent!  It works :-)

Well, gmail is giving me trouble with USER & PASS, but I have managed
to connect to other maileservers on port 995 successfully.

Just to confirm:  Are the username and password using this client
transmitted with SSL/TLS encryption?
-- 
Regards,
Mick
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Alexander Skwar]

Mick wrote:
> On 17/06/06, Alexander Skwar <listen@alexander.skwar.name> wrote:
> 
>> BUT: As there are no GLSAs, I'd say that there are no currently known
>> security problems.
> 
> Thanks!
> 
> Out of the the apps mentioned in this thread, which one would you
> recommend

Netcat or gnu-netcat (not much of a difference, as far as I know).

With netcat, you can either do SMTP manually (like you intended) or
you can use netcat in the way it might have been originally intended;
ie. as a "cat to net".

To do the former, you'd execute:

	nc host smtp

To do the latter, you'd do:

echo "HELO localhost
QUIT" | nc host smtp

The latter isn't (easily) possible with telnet ("easy" excludes
the use of "expect").

Alexander Skwar
-- 
You get along very well with everyone except animals and people.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Mick]

On 18/06/06, Alexander Skwar <listen@alexander.skwar.name> wrote:

> Netcat or gnu-netcat (not much of a difference, as far as I know).
>
> With netcat, you can either do SMTP manually (like you intended) or
> you can use netcat in the way it might have been originally intended;
> ie. as a "cat to net".
>
> To do the former, you'd execute:
>
>         nc host smtp
>
> To do the latter, you'd do:
>
> echo "HELO localhost
> QUIT" | nc host smtp
>
> The latter isn't (easily) possible with telnet ("easy" excludes
> the use of "expect").

Cool!  Thanks for all your replies.

I'm off now emerging netcat, but I noticed that there's also cryptcat
which I assume is only useful if the remote server has twofish
encryption enabled?
-- 
Regards,
Mick
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Alexander Skwar]

Mick wrote:

> I'm off now emerging netcat, but I noticed that there's also cryptcat
> which I assume is only useful if the remote server has twofish
> encryption enabled?

I suppose so. cryptcat makes then sense, when you use it as a
server. With *netcat*, you can use it as a server:

	nc -l -p $port

This way, you can pipe any content to the net:

	ls -la | nc -l -p 4711

You can then use netcat on a different system ("client system")
to connect to this port and pipe the output to somewhere else:

	nc $host $port

like so:

	nc $host 4711 > /tmp/ls.txt

Now you might want to encrypt the content. And that's where
cryptcat might be handy.

Alexander Skwar
-- 
I bought some used paint. It was in the shape of a house.
		-- Steven Wright
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Mick]

On 19/06/06, Alexander Skwar <listen@alexander.skwar.name> wrote:

> Now you might want to encrypt the content. And that's where
> cryptcat might be handy.

Thank you very much Alexander!  I don't know how I have managed
without  netcat all this time  . . .  it can do almost everything but
take the dog out for a walk! :-))

However, is this something to do with my firewall, or my sysctl setup?
============================
$ nc -l 192.168.0.1 -p 80
Can't grab 0.0.0.0:80 with bind : Permission denied
============================
I was trying to listen to my router while I connected to it using a browser gui.
-- 
Regards,
Mick
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[David Klempner]

[-- Attachment #1: Type: text/plain, Size: 341 bytes --]

* Mick <michaelkintzios@gmail.com> [2006-06-19 17:47]:
>
> However, is this something to do with my firewall, or my sysctl setup?
> ============================
> $ nc -l 192.168.0.1 -p 80
> Can't grab 0.0.0.0:80 with bind : Permission denied
> ============================

That would be because you need root to bind to a port below 1000.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Accessing mailserver with ssh

[Ryan Tandy]

Mick wrote:
> I don't know how I have managed
> without  netcat all this time  . . .  it can do almost everything but
> take the dog out for a walk! :-))

Didn't you read the man page?

 > -W[dksa]
 > --walk=(dog,kid,spouse,away)

$ sudo nc -Wd

:P
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Nick Rout]

On Sat, 17 Jun 2006 23:45:43 +0200
Alexander Skwar wrote:

> Mick wrote:
> > On 17/06/06, Raymond Lewis Rebbeck <dystopianray@gmail.com> wrote:
> > 
> >> You cannot use an ssh client in this manner.
> >>
> >> If you want a telnet client, emerge either netkit-telnetd or telnet-bsd.
> > 
> > Thanks for all the replies.  I had not emerged telnet so far because
> > of potential security reasons.  Is netcat better in that respect?
> 
> I actually know of no security problems with telnet. To which
> are you referring (note: telnet, not telnetd)?
> 
> Alexander Skwar

I think this thread needs clarification (not specifically you
Aleaxander)

The problem with the telnet is mainly plain text passwords - your login
to a telnet server is plain text and easily snooped. 

But using telnet to connect to a smtp server or web server for testing
purposes poses no threats. If you have to pass plain text credentials
via telnet (eg to log in to a pop or imap server) then the risk is
exactly the same as when your email client passes a plain text password
to the imap or pop server. In both cases it can be snooped. 

If the service you want to log into is protected with an ssl wrapper
then tuse the openssl program to log in. For example to connect to my
imap server (from the same machine)

openssl s_client -host localhost -port 993

openssl responds with a whole lot of info about the certificate and so
on then you can type away just like a telnet session (but encrypted)

eg:

nick@www ~ $ openssl s_client -host localhost -port 993

(openssl spews out a whole lot of stuff about the certificate)

Then the imap server's opening greeting:

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc.  See COPYING for distribution information.

Then I type (responses are marked >> for clarity:

1 login nick xxxxxxxx
>>1 OK LOGIN Ok.
2 logout
>>* BYE Courier-IMAP server shutting down
>>2 OK LOGOUT completed


This is exactly the exchange I get if I telnet to the non ssl port 143,
except telnet to port 143:

1. doesn't do a key exchange etc

2. is plain text and snoopable.


> -- 
> gentoo-user@gentoo.org mailing list

-- 
Nick Rout <nick@rout.co.nz>

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Accessing mailserver with ssh

[Alexander Skwar]

Mick wrote:

> However, is this something to do with my firewall, or my sysctl setup?

Neither.

> ============================
> $ nc -l 192.168.0.1 -p 80
> Can't grab 0.0.0.0:80 with bind : Permission denied

You're not root and thus a process of yours cannot open ports <=1024.

Alexander Skwar
-- 
It's NO USE ... I've gone to "CLUB MED"!!
-- 
gentoo-user@gentoo.org mailing list