Quoting Johannes Berg <johannes@sipsolutions.net>:
On Mon, 2007-05-14 at 11:39 -0500, Eric Rostetter wrote:
You can setup a ssh tunnel on the server on any port. The user then sets up to connect to that port. The authentication can be done anyway you want, or not at all. We're not talking ssh logins to the server, we're talking ssh tunneling.
Actually, I was thinking ssh logins :)
Huh... Not sure why, but... This sounds like it would require both ssh server modifications and e-mail client modifications. As such, you may not get a lot of buy in to your idea. At that point, you're almost half way to creating a new protocol anyway...
- the imap service you provide is a pre-authenticated imap session so that authentication/encryption is in ssh. I read my mail this way all the time.
- the ssh also provides a few other services that you can use
Seems to me that instead of adding plugins to dovecot and the e-mail client, you've added "subsystems" and plugins to the ssh server and e-mail client. So you've just traded one server/client combination for another.
Thus, what you get is exactly what you want: a service that provides multiple virtual services within a single existing connection.
But since you've had to modify the client and server, why not just do this with any old client/server protocol? What is so special about ssh in this case?
I'd rather just tunnel the imap via ssh, and use the existing ssh tunnel to do pre-auth for other services... Seems more trivial, as we're only modifying the client, not the server... But what do I know/care. I've always been happy with multiple protocols.
One reason I like multiple protocols, each with their own server code, is that it scales well. I can put each service on a separate machine if I need to, I can re-prioritize them individually, I can proxy them with ease, etc. When you start jamming lots of protocols into one code base, not only is it harder to audit and debug, it is harder to scale. Yes, you can still scale with load balancers and such, but that introduces additional cost and complexity which isn't needed when the services are isolated.
But, I guess not every one needs to scale, and not everyone is on the server end (and yes, things always look different from the client end).
johannes
-- Eric Rostetter The Department of Physics The University of Texas at Austin
Go Longhorns!