git protocol over port-forwarding

git protocol over port-forwarding

[Bill Lear]

We are attempting to use the git protocol throughout our company, as
it saves ssh-related problems of permissions and umasks for a our
poorly-administered community of developers, engineers, and others.

This fails, and I was wondering if anyone has any experience using
port-forwarding and the git protocol, or if it is not presently
possible.

Here's how we set things up ("source" is where git-daemon runs,
and "xiphi" is a client machine):

On the source machine, which is running the git daemon, and listening
on port 9418, I set up this ssh config entry in my ~/.ssh/config file:

Host xiphi-git
     Protocol 2
     ForwardX11 yes
     Hostname xiphi.lsscorp.com
     RemoteForward 5700 localhost:9418
     HostKeyAlias xiphi-git

Then on source, I ssh to xiphi-git, which connects to xiphi and sets up
a portforwarding from xiphi:9418 back to source:9418.  Then, on xiphi:

xiphi:~/y % git clone git://localhost:5700/fusion
Initialized empty Git repository in /home/furnish/y/fusion/.git/
fatal: The remote end hung up unexpectedly
fetch-pack from 'git://localhost:5700/fusion' failed.

So, we are wondering if perhaps the git daemon could be jiggered to
work somehow, or if there are other options for us.


Bill

Re: git protocol over port-forwarding

[Julian Phillips]

On Wed, 14 Mar 2007, Bill Lear wrote:

> We are attempting to use the git protocol throughout our company, as
> it saves ssh-related problems of permissions and umasks for a our
> poorly-administered community of developers, engineers, and others.
>
> This fails, and I was wondering if anyone has any experience using
> port-forwarding and the git protocol, or if it is not presently
> possible.
>
> Here's how we set things up ("source" is where git-daemon runs,
> and "xiphi" is a client machine):
>
> On the source machine, which is running the git daemon, and listening
> on port 9418, I set up this ssh config entry in my ~/.ssh/config file:
>
> Host xiphi-git
>     Protocol 2
>     ForwardX11 yes
>     Hostname xiphi.lsscorp.com
>     RemoteForward 5700 localhost:9418
>     HostKeyAlias xiphi-git
>
> Then on source, I ssh to xiphi-git, which connects to xiphi and sets up
> a portforwarding from xiphi:9418 back to source:9418.  Then, on xiphi:
>
> xiphi:~/y % git clone git://localhost:5700/fusion
> Initialized empty Git repository in /home/furnish/y/fusion/.git/
> fatal: The remote end hung up unexpectedly
> fetch-pack from 'git://localhost:5700/fusion' failed.
>
> So, we are wondering if perhaps the git daemon could be jiggered to
> work somehow, or if there are other options for us.

I don't think there is anything that needs changing with the git daemon 
... or at least I was able to successfully clone over an SSH port forward.

I did get the same error as you originally, but this was due to SSH 
failing to setup the tunnel connection (checking the logs showed that I 
had got the hostname in the forward wrong).

-- 
Julian

  ---
<rac> separated by irc networks...i sense a meg ryan movie coming on

Re: git protocol over port-forwarding

[Martin Langhoff]

On 3/15/07, Bill Lear <rael@zopyra.com> wrote:
> This fails, and I was wondering if anyone has any experience using
> port-forwarding and the git protocol, or if it is not presently
> possible.

We do it all the time. We have an internal server for git hosting, and
to use git+ssh you have to be inside the firewall. If you are outside,
you have to run through several SSH hops to get through the firewall.
We automate this using ssh-agent and keys forwarding.

To get ssh to work for you transparently, what you need to do is to
setup a special Host entry for your git server. For example, I have a

Host gitproxied.yourdomain
    ProxyCommand ssh firewallhost "perl -MSocket -e
'\$h=shift;socket(X,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));connect(X,sockaddr_in(22,inet_aton(\$h)));\$x=fileno(X);vec(\$r,\$x,1)=1;vec(\$r,0,1)=1;\$|=1;\$0=\"connect
to \$h\";while(1){1 until
select(\$ro=\$r,undef,\$eo=\$r,undef);if(vec(\$ro,\$x,1)){recv(X,\$buf,2000,0);print
\$buf;}elsif(vec(\$ro,0,1)){sysread(STDIN,\$buf,2000)or
last;send(X,\$buf,0);}elsif(vec(\$eo,0,1)||vec(\$eo,\$x,1)){last}}'
git.yourdomain"

as I have several hops to go through, "firewallhost" has another Host
entry, describing how to get to it.

With this, when I'm outside the lan I can ssh into the "git" host by
invoking "ssh gitproxied.yourdomain", sftp and scp work too. So I
often have an "extra" remote called originproxied or similar.

cheers,


martin

Re: git protocol over port-forwarding

[Bill Lear]

On Wednesday, March 14, 2007 at 21:05:37 (+0000) Julian Phillips writes:
>...
>I don't think there is anything that needs changing with the git daemon 
>... or at least I was able to successfully clone over an SSH port forward.
>
>I did get the same error as you originally, but this was due to SSH 
>failing to setup the tunnel connection (checking the logs showed that I 
>had got the hostname in the forward wrong).

Ok, so were you doing something like this:

% git clone git://localhost:5700/project

etc.?  and not using the ssh protocol, like this:

% git clone ssh://...

?


Bill

Re: git protocol over port-forwarding

[Martin Langhoff]

On 3/15/07, Bill Lear <rael@zopyra.com> wrote:
> On Wednesday, March 14, 2007 at 21:05:37 (+0000) Julian Phillips writes:
> >...
> >I don't think there is anything that needs changing with the git daemon
> >... or at least I was able to successfully clone over an SSH port forward.
> >
> >I did get the same error as you originally, but this was due to SSH
> >failing to setup the tunnel connection (checking the logs showed that I
> >had got the hostname in the forward wrong).
>
> Ok, so were you doing something like this:
>
> % git clone git://localhost:5700/project
>
> etc.?  and not using the ssh protocol, like this:
>
> % git clone ssh://...

I think pure port forwarding won't support git+ssh. For that you need
the proxycommand approach I mentioned. Actually, I think there's a
more elegant approach just saying

Host fooproxied
    ProxyCommand ssh -q -a foo.yourdomain nc -q0 %h 22

cheers,



m

Re: git protocol over port-forwarding

[Julian Phillips]

On Wed, 14 Mar 2007, Bill Lear wrote:

> On Wednesday, March 14, 2007 at 21:05:37 (+0000) Julian Phillips writes:
>> ...
>> I don't think there is anything that needs changing with the git daemon
>> ... or at least I was able to successfully clone over an SSH port forward.
>>
>> I did get the same error as you originally, but this was due to SSH
>> failing to setup the tunnel connection (checking the logs showed that I
>> had got the hostname in the forward wrong).
>
> Ok, so were you doing something like this:
>
> % git clone git://localhost:5700/project

yup.

I was even watching netstat on the server too ... ;)
(I did setup the tunnel from the client though, since I can't ssh into my 
desktop machine - so I was using LocalForward 5700 <server_ip>:9418)

>
> etc.?  and not using the ssh protocol, like this:
>
> % git clone ssh://...

nope.

-- 
Julian

  ---
I want to marry a girl just like the girl that married dear old dad.
 		-- Freud

Re: git protocol over port-forwarding

[Jakub Narebski]

Martin Langhoff wrote:

> On 3/15/07, Bill Lear <rael@zopyra.com> wrote:
>> On Wednesday, March 14, 2007 at 21:05:37 (+0000) Julian Phillips writes:
>>>...
>>>I don't think there is anything that needs changing with the git daemon
>>>... or at least I was able to successfully clone over an SSH port forward.
>>>
>>>I did get the same error as you originally, but this was due to SSH
>>>failing to setup the tunnel connection (checking the logs showed that I
>>>had got the hostname in the forward wrong).
>>
>> Ok, so were you doing something like this:
>>
>> % git clone git://localhost:5700/project
>>
>> etc.?  and not using the ssh protocol, like this:
>>
>> % git clone ssh://...
> 
> I think pure port forwarding won't support git+ssh. For that you need
> the proxycommand approach I mentioned. Actually, I think there's a
> more elegant approach just saying
> 
> Host fooproxied
>     ProxyCommand ssh -q -a foo.yourdomain nc -q0 %h 22

I think it could be done but with _two_ port forwarding, one from git
port to ssh port or 5700 port, on your computer (probably reverse tunnel),
second from 5700 port to git port... unless you configure git server
to use different port...

-- 
Jakub Narebski
Warsaw, Poland
ShadeHawk on #git

Re: git protocol over port-forwarding

[Bill Lear]

On Thursday, March 15, 2007 at 00:14:32 (+0100) Jakub Narebski writes:
>...
>I think it could be done but with _two_ port forwarding, one from git
>port to ssh port or 5700 port, on your computer (probably reverse tunnel),
>second from 5700 port to git port... unless you configure git server
>to use different port...

Ok thanks to all, Jakub, Martin, Julian, for the comments.  I'll
go give our ssh "expert" hell.


Bill

Re: git protocol over port-forwarding

[Bill Lear]

On Wednesday, March 14, 2007 at 18:33:52 (-0600) Bill Lear writes:
>On Thursday, March 15, 2007 at 00:14:32 (+0100) Jakub Narebski writes:
>>...
>>I think it could be done but with _two_ port forwarding, one from git
>>port to ssh port or 5700 port, on your computer (probably reverse tunnel),
>>second from 5700 port to git port... unless you configure git server
>>to use different port...
>
>Ok thanks to all, Jakub, Martin, Julian, for the comments.  I'll
>go give our ssh "expert" hell.

Just wanted to confirm to all that our expert confessed that he had
fat-fingered something (I promise, it wasn't me), and now it works
perfectly.

Thanks again.


Bill

Re: git protocol over port-forwarding

[Martin Langhoff]

On 3/15/07, Jakub Narebski <jnareb@gmail.com> wrote:
> I think it could be done but with _two_ port forwarding, one from git
> port to ssh port or 5700 port, on your computer (probably reverse tunnel),
> second from 5700 port to git port... unless you configure git server
> to use different port...

All the protections against man-in-the-middle attacks (host key
verification, etc) prevent straight port forwarding. That's why if you
want git over ssh you have to use the proxycommand option to ssh.

IMHO, YMMV, etc. ;-)



m