Ehud Karni wrote
>
>The 2nd way is using SSH tunneling. It is simpler and safer, but it
>has one catch - the user must have an account (not all my mail clients
>have UNIX accounts). Forward ports 110 and 25 and it'll work like magic
>with any mail client. Nobody can steal your password (use key
>authentication with/without passphrase) and nobody can read your mail!
>I use the Cygwin OpenSSH with rxvt on M$ Windoz. On linux, use OpenSSH
>with console or xterm.
>
>Ehud.
>
Well, not exactly.
Yes, you need the system to be able to authenticate you, but that does
not necessarily means a shell account.
Create a shell that accepts not input and gives no output. Create a user
(one user) that has no valid password (or a shared password to all your
users - that may also work). You are already 3/4 done.
All that is left is for you to take a public key from each of your
users, and tell this dummy user that that public key is allowed to log
in. By not placing the user's shell in /etc/shells you can prevent login
via FTP (actually - this is not neccesary, as the user has no valid
password).
Thus you have a list of users, who can authenticate with the machine for
port forwarding purposes, but can do nothing else. You have individual
control over the users (i.e. - they do not all use the same password),
and yet it only takes one real user on the machine.
Shachar
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
