SSH Case Studies: Pine and IMAP - 188.8.131.52 Pine and preauthenticated IMAP
(Page 2 of 2 )
There are two broad types of Unix-based IMAP servers, exemplified by the University of Washington (UW) imapd and the Carnegie Mellon Cyrus software. Cyrus is a self-contained system: it uses an internal database to hold user mail, and the only access to it is via the IMAP protocol or particular programs for mail delivery or administration. In particular, there is no relationship between Unix accounts on the server host, and IMAP accounts; they are completely separate.
The UW imapd, on the other hand, is a lighter-weight affair: it simply provides an IMAP view of the traditional Unix mail store: files in /var/spool/mail or elsewhere, owned by the Unix accounts of the mail recipients. Thus, its notion of user account and access control is tied to that of the host. If your mail is stored in a spool file owned by you, and you can log into the host via SSH, then youíve already proven you have access to that fileówhy should you have to prove it again to the IMAP server? In fact, with the UW server, you donít have to. We now discuss how to do this with UW imapd, or another IMAP server with similar behavior.
The IMAP protocol defines two modes in which an IMAP server can start: normal and preauthenticated (see Figure 11-10). Normally, imapd runs with special privileges to access any userís mailbox (as when started as root by inetd), and hence it requires authentication from the client.
Figure 11-10.Pine/IMAP over SSH, preauthenticated
Hereís a sample session that invokes an IMAP server, imapd, through inetd so that it runs as root:
server% telnet localhost imap * OK localhost IMAP4rev1 v12.261 server ready 0 login res password ' 1 select inbox * 3 EXISTS * 0 RECENT *OK [UIDVALIDITY 964209649] UID validity status * OK [UIDNEXT 4] Predicted next UID * FLAGS (\Answered \Flagged \Deleted \Draft \Seen) * OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent flags 1 OK [READ-WRITE] SELECT completed 2 logout * BYE imap.example.com IMAP4rev1 server terminating connection 2 OK LOGOUT completed
Alternatively, in preauthenticated mode, the IMAP server assumes that authentication has already been done by the program that started the server and that it already has the necessary rights to access the userís mailbox. If you invoke imapd on the command line under a nonroot uid, imapd skips the authentication phase and simply opens the mailbox file of the current account (which must be accessible via the existing Unix permissions structure). You can then type IMAP commands and access your mailbox without authentication:
server% /usr/local/sbin/imapd * PREAUTH imap.example.com IMAP4rev1 v12.261 server ready 0 select inbox * 3 EXISTS * 0 RECENT *OK [UIDVALIDITY 964209649] UID validity status * OK [UIDNEXT 4] Predicted next UID * FLAGS (\Answered \Flagged \Deleted \Draft \Seen) * OK [PERMANENTFLAGS (\* \Answered \Flagged \Deleted \Draft \Seen)] Permanent flags 0 OK [READ-WRITE] SELECT completed 1 logout *BYE imap.example.com IMAP4rev1 server terminating connection 1 OK LOGOUT completed
Notice thePREAUTHresponse at the beginning of the session, indicating preauthenticated mode. It is followed by the command select inbox, which causes the IMAP server implicitly to open the inbox of the current user without demanding authentication.
Now, how does all this relate to Pine? Pine has a built-in feature whereby, instead of using a direct IMAP connection, it logs into the IMAP host using ssh and runs a preauthenticated instance of imapd directly. If this succeeds, Pine then converses with the IMAP server over the SSH connection, and has automatic access to the remote inbox without further authentication.
Please check back next week for the next part of this series.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.