[Linux-ivv4] fetchmail & SSL, pam_preprofile
Heinz-Hermann Adam
adamh@nwz.uni-muenster.de
Fri, 26 Nov 2004 14:09:28 +0100
--Apple-Mail-3-760800215
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
FYI
HHA
Anfang der weitergeleiteten E-Mail:
> Von: David Vernazobres <dv@uni-muenster.de>
> Datum: 12. November 2004 17:04:33 MEZ
> An: Heinz-Hermann Adam <adamh@uni-muenster.de>
> Cc: "Dr. January Weiner" <january@uni-muenster.de>
> Betreff: Contribution
> Antwort an: David Vernazobres <dv@uni-muenster.de>
>
> Hello,
>
> We want to contribute to the ivv4 linux development and distribution
> (or a wiki linux uni or ivv4).
> For this purpose, I wrote two small docs, from information collect that
> I didn't find on the uni-muenster web site.
> The first one is on fetchmail+SSL using pop.uni-muenster.de, the second
> one is on a pam module (pam_preprofile) that we used to start action
> during the loging, like creating a symlink from /home/user to
> /global/home/user. I hope that it can be helpful for someone.
>
> best regards,
> david.
>
> --
> David VERNAZOBRES, PhD student | dv@uni-muenster.de
> Division of Bioinformatics, University of Muenster | Schlossplatz 4
> (+49)(251)8321635 | D48149 Muenster
> http://www.uni-muenster.de/Biologie.Botanik/ebb/ | Germany
--Apple-Mail-3-760800215
Content-Transfer-Encoding: 7bit
Content-Type: application/x-tex;
x-unix-mode=0666;
name="fetchmail.tex"
Content-Disposition: attachment;
filename=fetchmail.tex
#AG EBB
#dv Rev_0.1_2004-11-04
#
# Changelog:
# Date : Ver : User : Comment
# 2004-11-04 : v 0.1 : dv : First version
#
I. fetchmail & SSL
Goal: don't send in clear your password on the networks...
This change means fetchmail and the corresponding POP3 or IMAP4-server
don't talk cleartext but encrypted, thus not using port 110 or 143 but
995 or 993.
What you need :
University certificate page : https://www.uni-muenster.de/WWUCA/
fetchmail : http://catb.org/~esr/fetchmail/
OpenSSL : http://www.openssl.org/
+
A WORKING INSTALLATION OF FETCHMAIL. (if not start by configuring without
certificate and after go back here)
I assume that your fetchnail's configuration file are store on :
~/.fetchmailrc with the right 600 (chmod 600 ~/.fetchmailrc)
To do such things just do the following modification:
Some lines need to be added to ~/.fetchmailrc
Most important thing is to add the line *ssl* to enable fetchmails
SSL-capabilities. My ~/.fetchmailrc now looked like this:
poll pop.uni-muenster.de with
proto POP3
user "dv"
is USER
with password "XXXXXXXXXXXX"
ssl
sslfingerprint "EB:2E:25:75:AC:81:AB:25:70:26:E7:F7:98:54:49:D6"
the sslfingerprint are take from the server
You can take it by running 'fetchmail -v' (without the sslfingerprint line in
the configuration file ~/.fetchnailrc :))
OR better go to the web page :
https://www.uni-muenster.de/WWUCA/keydata.txt
where you can find all the certificate of the university.
(NOTE : but the page don't seem to be up-to-date... to check)
fetchmail: 6.2.5 querying pop.uni-muenster.de (protocol POP3) at Thu Nov 4 22:09:02 2004: poll started
fetchmail: Issuer Organization: Universitaet Muenster
fetchmail: Issuer CommonName: Zertifizierungsstelle 2004-2005
fetchmail: Server CommonName: pop.uni-muenster.de
fetchmail: pop.uni-muenster.de key fingerprint: EB:2E:25:75:AC:81:AB:25:70:26:E7:F7:98:54:49:D6
fetchmail: Warning: server certificate verification: unable to get local issuer certificate
fetchmail: Issuer Organization: Universitaet Muenster
fetchmail: Issuer CommonName: Zertifizierungsstelle 2004-2005
fetchmail: Server CommonName: pop.uni-muenster.de
fetchmail: Warning: server certificate verification: certificate not trusted
fetchmail: Issuer Organization: Universitaet Muenster
fetchmail: Issuer CommonName: Zertifizierungsstelle 2004-2005
fetchmail: Server CommonName: pop.uni-muenster.de
fetchmail: Warning: server certificate verification: unable to verify the first certificate
...
If you want to check and get the certificate do the following :
openssl s_client -connect pop.uni-muenster.de:995 -showcerts
(that's for pop3, for imap do :
openssl s_client -connect imap.somewhere.org:993 -showcerts )
openssl s_client -connect pop.uni-muenster.de:995 -showcerts
CONNECTED(00000003)
depth=0 /C=DE/O=Universitaet Muenster/OU=Zentrum fuer Informationsverarbeitung/CN=pop.uni-muenster.de/emailAddress=wwwadmin@uni-muenster.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=DE/O=Universitaet Muenster/OU=Zentrum fuer Informationsverarbeitung/CN=pop.uni-muenster.de/emailAddress=wwwadmin@uni-muenster.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=DE/O=Universitaet Muenster/OU=Zentrum fuer Informationsverarbeitung/CN=pop.uni-muenster.de/emailAddress=wwwadmin@uni-muenster.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=DE/O=Universitaet Muenster/OU=Zentrum fuer Informationsverarbeitung/CN=pop.uni-muenster.de/emailAddress=wwwadmin@uni-muenster.de
i:/C=DE/O=Universitaet Muenster/CN=Zertifizierungsstelle 2004-2005/emailAddress=ca@uni-muenster.de
-----BEGIN CERTIFICATE-----
MIIFzzCCBLegAwIBAgIDALA2MA0GCSqGSIb3DQEBBAUAMHoxCzAJBgNVBAYTAkRF
MR4wHAYDVQQKExVVbml2ZXJzaXRhZXQgTXVlbnN0ZXIxKDAmBgNVBAMTH1plcnRp
Zml6aWVydW5nc3N0ZWxsZSAyMDA0LTIwMDUxITAfBgkqhkiG9w0BCQEWEmNhQHVu
aS1tdWVuc3Rlci5kZTAeFw0wNDAzMzEwNzQ5MTRaFw0wNjAzMzEwNzQ5MTRaMIGk
MQswCQYDVQQGEwJERTEeMBwGA1UEChMVVW5pdmVyc2l0YWV0IE11ZW5zdGVyMS4w
LAYDVQQLEyVaZW50cnVtIGZ1ZXIgSW5mb3JtYXRpb25zdmVyYXJiZWl0dW5nMRww
GgYDVQQDExNwb3AudW5pLW11ZW5zdGVyLmRlMScwJQYJKoZIhvcNAQkBFhh3d3dh
ZG1pbkB1bmktbXVlbnN0ZXIuZGUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AKakbrf0bjJKda5ANjYyCEzr5vsXWyrHIFt5+N+Wt1w25U0fJ340fumQX+d9CS3M
yzVg4zNDiPUTs9yxgLQwXWKbWjCB0QJFtGQar5b+LLFZ3wpanlyv8gKbyjBL83AC
Jn5CJtaYWZg1zEN6sqHDsVFINLtaG86g0iB3t9U4mm0/AgMBAAGjggK1MIICsTAL
BgNVHQ8EBAMCBaAwHQYDVR0OBBYEFH0Z9ogtGX70H1VOZbHcremYyzF3MIHcBgNV
HSMEgdQwgdGAFPrOp4Q/ifm1/ESzgjadmuyyg563oYGypIGvMIGsMQswCQYDVQQG
EwJERTEhMB8GA1UEChMYRGV1dHNjaGVzIEZvcnNjaHVuZ3NuZXR6MRYwFAYDVQQL
Ew1ERk4tQ0VSVCBHbWJIMRAwDgYDVQQLEwdERk4tUENBMS0wKwYDVQQDEyRERk4g
VG9wbGV2ZWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EmNlcnRpZnlAcGNhLmRmbi5kZYIEA9xfsjAjBgNVHREEHDAagRh3d3dhZG1pbkB1
bmktbXVlbnN0ZXIuZGUwCQYDVR0SBAIwADARBglghkgBhvhCAQEEBAMCBkAwMQYJ
YIZIAYb4QgECBCQWImh0dHA6Ly93d3cudW5pLW11ZW5zdGVyLmRlL1pJVi9DQS8w
PAYJYIZIAYb4QgEIBC8WLWh0dHA6Ly93d3cudW5pLW11ZW5zdGVyLmRlL1pJVi9D
QS9wb2xpY3kuaHRtbDA/BglghkgBhvhCAQMEMhYwaHR0cDovL3d3dy51bmktbXVl
bnN0ZXIuZGUvZXhlYy9jYS1jaGVjay1yZXZva2U/MEAGCWCGSAGG+EIBBwQzFjFo
dHRwOi8vd3d3LnVuaS1tdWVuc3Rlci5kZS9leGVjL2NhLWNoZWNrLXJlbmV3YWw/
MG0GCWCGSAGG+EIBDQRgFl5UaGlzIFNTTCBzZXJ2ZXIgY2VydGlmaWNhdGUgaXMg
aXNzdWVkIGJ5IFplcnRpZml6aWVydW5nc3N0ZWxsZSBVbml2ZXJzaXRhZXQgTXVl
bnN0ZXIgMjAwNC0yMDA1MA0GCSqGSIb3DQEBBAUAA4IBAQBhY9CnrimWgj8V7X8E
HOTXIFzv+qGJGbqfRrc3yVEfNvmgV38Yxe+x5eEHvIU1lSlUNNK20Ed4h+lgNDpA
oNjc12Evgbzr6g//emDFW4v5e4GFzQjnZG1v/Ell51/bpjyXroZSDDAEFroGJ7BP
qYV0pv6kNUnxTw1ellSRo1COxxQ5sC1Ciw/WttoNryk7SxgKWUmBaSLSgvfq5gce
IamxbbC3CvTlVtOFWzUiLmRhz0E+NJOF8XBXd+TOERJcJ7MdvvLiJ4Uw9bwm96lA
OAcITb+bt6qnZazzlKdGrkilNQS4Tb12kcCwrq/cHWniik4D+cY8r3ds0JY9K9v2
pIXV
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/O=Universitaet Muenster/OU=Zentrum fuer Informationsverarbeitung/CN=pop.uni-muenster.de/emailAddress=wwwadmin@uni-muenster.de
issuer=/C=DE/O=Universitaet Muenster/CN=Zertifizierungsstelle 2004-2005/emailAddress=ca@uni-muenster.de
---
No client certificate CA names sent
---
SSL handshake has read 1645 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 8E803B19DB5054C02BC298537EB61597309CDD0AF44E31CAEED92F94CCBAD4B5
Session-ID-ctx:
Master-Key: F0C58034073C70DE5738075EEEB5A40B858E1DBEC9F9E7A40F726BF0375DE4A33B0FEEE630D980B26F4BBA6F1480CBE5
Key-Arg : None
Start Time: 1099579086
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK POP3 UX01.UNI-MUENSTER.DE v2003.83 server ready
The result of this command gives a lot of data including the x509-cert
in PEM-format. What we are interested in is the part beginning end
ending with the following lines:
-----BEGIN CERTIFICATE-----
MII[...]
-----END CERTIFICATE-----
But this is not everything we need - the certificate of the CA
(certificate agency, an institution issuing certificates) that issued
this cert is also needed so the cert can be verified.
the certificate of the university of muenster are available on the following
web page:
https://www.uni-muenster.de/WWUCA/
https://www.uni-muenster.de/WWUCA/zertifikate.html
Download the two control certificate.
- dfnpca-2002.crlf.pem
- wwuca-2004.crlf.pem
(As i understand it, the uni is it's own certificate providers as they have
the habilitation to create certificate.)
(NOTE :
If you get a certificate in DER-format you have to convert it into
PEM-format: This can be done using the following command:
openssl x509 -in certificate.der -inform DER -outform PEM )
All resulting certificates, that you need, have to be put into one directory and have
to be hashed to work for fetchmail. The best way to do this is *c_rehash*
which comes with apache <http://www.apache.org/> and with the OpenSSL
<http://www.openssl.org/>-sourcecode. (install on most of the computer)
OpenSSL comes with some well known CA-certificates preinstalled. Those
are, depending on which distribution or installation you use, in, e.g.,
/etc/ssl/certs
So :
mkdir .certs
cp cert*.pem .certs
c_rehash .certs
cert1.crlf.pem => 7712a0b8.0
cert2.crlf.pem => 0dcae815.0
cert3.crlf.pem => ddc328ff.0
Now, you must add the following two lines in your ~/.fetchmailrc
sslcertck
sslcertpath /global/home/USERS/.certs
Those two lines need to be in the same block as the corresponding
*poll*-command.
The first line makes fetchmail aborting the connection if no valid certs
can be found (in case a cert is revoked or expires) and the second line
tells fetchmail where to find the certs.
If the certificate expires mail polling fails. In that case you remove
*sslcertchk*. This way you don't check the certificate but you will be
able to fetch your mail.
Now polling for mail looks like this:
fetchmail -v
fetchmail: Issuer Organization: Universitaet Muenster
fetchmail: Issuer CommonName: Zertifizierungsstelle 2004-2005
fetchmail: Server CommonName: pop.uni-muenster.de
fetchmail: pop.uni-muenster.de key fingerprint: EB:2E:25:75:AC:81:AB:25:70:26:E7:F7:98:54:49:D6
fetchmail: pop.uni-muenster.de fingerprints match.
fetchmail: POP3< +OK POP3 UX01.UNI-MUENSTER.DE v2003.83 server ready
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows:
fetchmail: POP3< TOP
fetchmail: POP3< LOGIN-DELAY 180
fetchmail: POP3< UIDL
fetchmail: POP3< USER
fetchmail: POP3< SASL PLAIN LOGIN
fetchmail: POP3< .
fetchmail: POP3> USER dv
fetchmail: POP3< +OK User name accepted, password please
fetchmail: POP3> PASS *
fetchmail: POP3< +OK Mailbox open, 18 messages
fetchmail: POP3> STAT
fetchmail: POP3< +OK 18 60874
fetchmail: POP3> LAST
fetchmail: POP3< +OK 18
When You launch fechmail check at the same time, with 'netstat -t' that you use the right port
(995 for POP3+SSL and not 110 for POP)
In case you have any questions, feel free to ask me.
dv.
(inspired from the following website :
http://bronski.net/howto/fetchmail.php?s=fetchmail&submit=Suchen)
II_ Crypt your password in fetchmailrc....
No real way to do that...
but there is an alternative with PGP.... take your keys !
In fact, we can crypt, and decrypt the file just before fetchmail try to access the file. (You just need to saisir your passphras, to decrypt the file. When fetchamil is runing as a deamon, you just need to put your password once.)
Following are the example with GnuPG.
_1. To crypt the file :
gpg -r [ Key_for_fetchmail ] -o .crypted_rc -e .fetchmailrc
_2. Create a script "fetch"
gpg -o ~/.temp_rc -d ~/.crypted_rc;
chmod go-rwx ~/.temp_rc;
fetchmail --fetchmailrc ~/.temp_rc $1 $2 $3 $4 $5 $6 $7 $8 $9;
rm ~/.temp_rc
Don't forget to check that works on your account...
with adding in test mode the -v -N -k switch.
--Apple-Mail-3-760800215
Content-Transfer-Encoding: 7bit
Content-Type: application/x-tex;
x-unix-mode=0666;
name="pam_preprofile.tex"
Content-Disposition: attachment;
filename=pam_preprofile.tex
#AG EBB
#dv Rev_0.1_2004-11-11
#
# Changelog:
# Date : Ver : User : Comment
# 2004-11-11 : v 0.1 : dv : First version
#
Create symlink for home directory
Goal: Create symlink for a user to acces is home directory.
What you need :
- A working Linux system
- A NFS export from a server with your home directory
let say /exports/home
Prerequires :
I describe the system as it is.
When you logging in your ivv4 account, you get a home directory which are
/dfs/u/[a-z]/logging_name with [a-z] equal your first account letter
I create with the following script all the dfs structure pointing to /home
#!/bin/sh
mkdir -p /dfs/u
for letter in a b c d e f g h i j k l m n o p q r s t u v w x y z
do
ln -s /home /dfs/u/$letter
done
##End of script
So now, all logging name point to the /home/logging_name.
I explained in the folling document how to create the symlink for a user from /home/logging_name to /exports/home/logging_name with no user or root access, before logging.
I. Let's go
To do such job, we will used the PAM mechanism using the PAM_preprofile module to execute a script. This PAM_preprofile give as last argument the logging_name.
A_ get the PAM_preprofile
Take the PAM_preprofile:
http://www.kernel.org/pub/linux/libs/pam/pre/modules/pam_preprofile.tgz
tar zxvf pam_preprofile.tgz.gz
cd pam_preprofile/
Read the README...
B_ install it
copy it with directory: /lib/security/ where all the pam module are (debian and suse, for other distro check...). Put the right accesson it.
chmod xxx /lib/security/pam_preprofile.so
C_ Create the script
we create the following script /etc/pam.d/createhome.sh
#!/bin/sh
#AG EBB
#dv Rev_0.4_2004-09-28
#
# Changelog:
# Date : Ver : User : Comment
# 2004-09-28 : v 0.4 : dv : remove the root check
# 2004-07-20 : v 0.3 : dv : Remove some action for local user
#
# $1 is the logging name provide by PAM
#
# Checking if your home directory exist...
if [ $1 == "root" ] ; then
exit
fi
if [ -d /home/$1 ] ; then
# The logging name exist localy
# If you want, you can add some stuff here.
echo "">/dev/null
else
# The logging name didn't exist localy,
# Let's check on the export directory
if [ -d /exports/home/$1 ] ; then
# The logging name exist on the export directory
ln -s /exports/home/$1 /home/$1
#else
# The logging name didn't exist on the export directory
# The logging name didn't exist localy
# If you want, you can add some stuff here.
fi
fi
##End of script
D_ Used it in PAM....
In each Pam file where you need it, call it with the following line.
session required pam_preprofile.so /etc/pam.d/createhome.sh
(login, ssh,.....)
On debian, you can add it to /etc/pam.d/common-session
II. Link
List of PAM modules: http://www.kernel.org/pub/linux/libs/pam/modules.html
--Apple-Mail-3-760800215
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
>
--
Heinz-Hermann Adam (adamh@nwz.uni-muenster.de)
Universitaet Muenster IVV Naturwissenschaften
Wilhelm-Klemm-Str. 10 Tel. +49 251 833-9040
48149 Muenster Fax. +49 251 833-3669
Web: www.uni-muenster.de/IVVNWZ/People/adamh
--Apple-Mail-3-760800215--