* git protocol over port-forwarding
@ 2007-03-14 18:37 Bill Lear
2007-03-14 21:05 ` Julian Phillips
2007-03-14 21:07 ` Martin Langhoff
0 siblings, 2 replies; 10+ messages in thread
From: Bill Lear @ 2007-03-14 18:37 UTC (permalink / raw)
To: git
We are attempting to use the git protocol throughout our company, as
it saves ssh-related problems of permissions and umasks for a our
poorly-administered community of developers, engineers, and others.
This fails, and I was wondering if anyone has any experience using
port-forwarding and the git protocol, or if it is not presently
possible.
Here's how we set things up ("source" is where git-daemon runs,
and "xiphi" is a client machine):
On the source machine, which is running the git daemon, and listening
on port 9418, I set up this ssh config entry in my ~/.ssh/config file:
Host xiphi-git
Protocol 2
ForwardX11 yes
Hostname xiphi.lsscorp.com
RemoteForward 5700 localhost:9418
HostKeyAlias xiphi-git
Then on source, I ssh to xiphi-git, which connects to xiphi and sets up
a portforwarding from xiphi:9418 back to source:9418. Then, on xiphi:
xiphi:~/y % git clone git://localhost:5700/fusion
Initialized empty Git repository in /home/furnish/y/fusion/.git/
fatal: The remote end hung up unexpectedly
fetch-pack from 'git://localhost:5700/fusion' failed.
So, we are wondering if perhaps the git daemon could be jiggered to
work somehow, or if there are other options for us.
Bill
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: git protocol over port-forwarding 2007-03-14 18:37 git protocol over port-forwarding Bill Lear @ 2007-03-14 21:05 ` Julian Phillips 2007-03-14 22:04 ` Bill Lear 2007-03-14 21:07 ` Martin Langhoff 1 sibling, 1 reply; 10+ messages in thread From: Julian Phillips @ 2007-03-14 21:05 UTC (permalink / raw) To: Bill Lear; +Cc: git On Wed, 14 Mar 2007, Bill Lear wrote: > We are attempting to use the git protocol throughout our company, as > it saves ssh-related problems of permissions and umasks for a our > poorly-administered community of developers, engineers, and others. > > This fails, and I was wondering if anyone has any experience using > port-forwarding and the git protocol, or if it is not presently > possible. > > Here's how we set things up ("source" is where git-daemon runs, > and "xiphi" is a client machine): > > On the source machine, which is running the git daemon, and listening > on port 9418, I set up this ssh config entry in my ~/.ssh/config file: > > Host xiphi-git > Protocol 2 > ForwardX11 yes > Hostname xiphi.lsscorp.com > RemoteForward 5700 localhost:9418 > HostKeyAlias xiphi-git > > Then on source, I ssh to xiphi-git, which connects to xiphi and sets up > a portforwarding from xiphi:9418 back to source:9418. Then, on xiphi: > > xiphi:~/y % git clone git://localhost:5700/fusion > Initialized empty Git repository in /home/furnish/y/fusion/.git/ > fatal: The remote end hung up unexpectedly > fetch-pack from 'git://localhost:5700/fusion' failed. > > So, we are wondering if perhaps the git daemon could be jiggered to > work somehow, or if there are other options for us. I don't think there is anything that needs changing with the git daemon ... or at least I was able to successfully clone over an SSH port forward. I did get the same error as you originally, but this was due to SSH failing to setup the tunnel connection (checking the logs showed that I had got the hostname in the forward wrong). -- Julian --- <rac> separated by irc networks...i sense a meg ryan movie coming on ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: git protocol over port-forwarding 2007-03-14 21:05 ` Julian Phillips @ 2007-03-14 22:04 ` Bill Lear 2007-03-14 22:14 ` Martin Langhoff 2007-03-14 22:30 ` Julian Phillips 0 siblings, 2 replies; 10+ messages in thread From: Bill Lear @ 2007-03-14 22:04 UTC (permalink / raw) To: Julian Phillips; +Cc: git On Wednesday, March 14, 2007 at 21:05:37 (+0000) Julian Phillips writes: >... >I don't think there is anything that needs changing with the git daemon >... or at least I was able to successfully clone over an SSH port forward. > >I did get the same error as you originally, but this was due to SSH >failing to setup the tunnel connection (checking the logs showed that I >had got the hostname in the forward wrong). Ok, so were you doing something like this: % git clone git://localhost:5700/project etc.? and not using the ssh protocol, like this: % git clone ssh://... ? Bill ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: git protocol over port-forwarding 2007-03-14 22:04 ` Bill Lear @ 2007-03-14 22:14 ` Martin Langhoff 2007-03-14 23:14 ` Jakub Narebski 2007-03-14 22:30 ` Julian Phillips 1 sibling, 1 reply; 10+ messages in thread From: Martin Langhoff @ 2007-03-14 22:14 UTC (permalink / raw) To: Bill Lear; +Cc: Julian Phillips, git On 3/15/07, Bill Lear <rael@zopyra.com> wrote: > On Wednesday, March 14, 2007 at 21:05:37 (+0000) Julian Phillips writes: > >... > >I don't think there is anything that needs changing with the git daemon > >... or at least I was able to successfully clone over an SSH port forward. > > > >I did get the same error as you originally, but this was due to SSH > >failing to setup the tunnel connection (checking the logs showed that I > >had got the hostname in the forward wrong). > > Ok, so were you doing something like this: > > % git clone git://localhost:5700/project > > etc.? and not using the ssh protocol, like this: > > % git clone ssh://... I think pure port forwarding won't support git+ssh. For that you need the proxycommand approach I mentioned. Actually, I think there's a more elegant approach just saying Host fooproxied ProxyCommand ssh -q -a foo.yourdomain nc -q0 %h 22 cheers, m ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: git protocol over port-forwarding 2007-03-14 22:14 ` Martin Langhoff @ 2007-03-14 23:14 ` Jakub Narebski 2007-03-15 0:33 ` Bill Lear 2007-03-15 4:29 ` Martin Langhoff 0 siblings, 2 replies; 10+ messages in thread From: Jakub Narebski @ 2007-03-14 23:14 UTC (permalink / raw) To: git Martin Langhoff wrote: > On 3/15/07, Bill Lear <rael@zopyra.com> wrote: >> On Wednesday, March 14, 2007 at 21:05:37 (+0000) Julian Phillips writes: >>>... >>>I don't think there is anything that needs changing with the git daemon >>>... or at least I was able to successfully clone over an SSH port forward. >>> >>>I did get the same error as you originally, but this was due to SSH >>>failing to setup the tunnel connection (checking the logs showed that I >>>had got the hostname in the forward wrong). >> >> Ok, so were you doing something like this: >> >> % git clone git://localhost:5700/project >> >> etc.? and not using the ssh protocol, like this: >> >> % git clone ssh://... > > I think pure port forwarding won't support git+ssh. For that you need > the proxycommand approach I mentioned. Actually, I think there's a > more elegant approach just saying > > Host fooproxied > ProxyCommand ssh -q -a foo.yourdomain nc -q0 %h 22 I think it could be done but with _two_ port forwarding, one from git port to ssh port or 5700 port, on your computer (probably reverse tunnel), second from 5700 port to git port... unless you configure git server to use different port... -- Jakub Narebski Warsaw, Poland ShadeHawk on #git ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: git protocol over port-forwarding 2007-03-14 23:14 ` Jakub Narebski @ 2007-03-15 0:33 ` Bill Lear 2007-03-15 1:32 ` Bill Lear 2007-03-15 4:29 ` Martin Langhoff 1 sibling, 1 reply; 10+ messages in thread From: Bill Lear @ 2007-03-15 0:33 UTC (permalink / raw) To: Jakub Narebski; +Cc: git On Thursday, March 15, 2007 at 00:14:32 (+0100) Jakub Narebski writes: >... >I think it could be done but with _two_ port forwarding, one from git >port to ssh port or 5700 port, on your computer (probably reverse tunnel), >second from 5700 port to git port... unless you configure git server >to use different port... Ok thanks to all, Jakub, Martin, Julian, for the comments. I'll go give our ssh "expert" hell. Bill ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: git protocol over port-forwarding 2007-03-15 0:33 ` Bill Lear @ 2007-03-15 1:32 ` Bill Lear 0 siblings, 0 replies; 10+ messages in thread From: Bill Lear @ 2007-03-15 1:32 UTC (permalink / raw) To: Jakub Narebski, git On Wednesday, March 14, 2007 at 18:33:52 (-0600) Bill Lear writes: >On Thursday, March 15, 2007 at 00:14:32 (+0100) Jakub Narebski writes: >>... >>I think it could be done but with _two_ port forwarding, one from git >>port to ssh port or 5700 port, on your computer (probably reverse tunnel), >>second from 5700 port to git port... unless you configure git server >>to use different port... > >Ok thanks to all, Jakub, Martin, Julian, for the comments. I'll >go give our ssh "expert" hell. Just wanted to confirm to all that our expert confessed that he had fat-fingered something (I promise, it wasn't me), and now it works perfectly. Thanks again. Bill ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: git protocol over port-forwarding 2007-03-14 23:14 ` Jakub Narebski 2007-03-15 0:33 ` Bill Lear @ 2007-03-15 4:29 ` Martin Langhoff 1 sibling, 0 replies; 10+ messages in thread From: Martin Langhoff @ 2007-03-15 4:29 UTC (permalink / raw) To: Jakub Narebski; +Cc: git On 3/15/07, Jakub Narebski <jnareb@gmail.com> wrote: > I think it could be done but with _two_ port forwarding, one from git > port to ssh port or 5700 port, on your computer (probably reverse tunnel), > second from 5700 port to git port... unless you configure git server > to use different port... All the protections against man-in-the-middle attacks (host key verification, etc) prevent straight port forwarding. That's why if you want git over ssh you have to use the proxycommand option to ssh. IMHO, YMMV, etc. ;-) m ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: git protocol over port-forwarding 2007-03-14 22:04 ` Bill Lear 2007-03-14 22:14 ` Martin Langhoff @ 2007-03-14 22:30 ` Julian Phillips 1 sibling, 0 replies; 10+ messages in thread From: Julian Phillips @ 2007-03-14 22:30 UTC (permalink / raw) To: Bill Lear; +Cc: git On Wed, 14 Mar 2007, Bill Lear wrote: > On Wednesday, March 14, 2007 at 21:05:37 (+0000) Julian Phillips writes: >> ... >> I don't think there is anything that needs changing with the git daemon >> ... or at least I was able to successfully clone over an SSH port forward. >> >> I did get the same error as you originally, but this was due to SSH >> failing to setup the tunnel connection (checking the logs showed that I >> had got the hostname in the forward wrong). > > Ok, so were you doing something like this: > > % git clone git://localhost:5700/project yup. I was even watching netstat on the server too ... ;) (I did setup the tunnel from the client though, since I can't ssh into my desktop machine - so I was using LocalForward 5700 <server_ip>:9418) > > etc.? and not using the ssh protocol, like this: > > % git clone ssh://... nope. -- Julian --- I want to marry a girl just like the girl that married dear old dad. -- Freud ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: git protocol over port-forwarding 2007-03-14 18:37 git protocol over port-forwarding Bill Lear 2007-03-14 21:05 ` Julian Phillips @ 2007-03-14 21:07 ` Martin Langhoff 1 sibling, 0 replies; 10+ messages in thread From: Martin Langhoff @ 2007-03-14 21:07 UTC (permalink / raw) To: Bill Lear; +Cc: git On 3/15/07, Bill Lear <rael@zopyra.com> wrote: > This fails, and I was wondering if anyone has any experience using > port-forwarding and the git protocol, or if it is not presently > possible. We do it all the time. We have an internal server for git hosting, and to use git+ssh you have to be inside the firewall. If you are outside, you have to run through several SSH hops to get through the firewall. We automate this using ssh-agent and keys forwarding. To get ssh to work for you transparently, what you need to do is to setup a special Host entry for your git server. For example, I have a Host gitproxied.yourdomain ProxyCommand ssh firewallhost "perl -MSocket -e '\$h=shift;socket(X,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));connect(X,sockaddr_in(22,inet_aton(\$h)));\$x=fileno(X);vec(\$r,\$x,1)=1;vec(\$r,0,1)=1;\$|=1;\$0=\"connect to \$h\";while(1){1 until select(\$ro=\$r,undef,\$eo=\$r,undef);if(vec(\$ro,\$x,1)){recv(X,\$buf,2000,0);print \$buf;}elsif(vec(\$ro,0,1)){sysread(STDIN,\$buf,2000)or last;send(X,\$buf,0);}elsif(vec(\$eo,0,1)||vec(\$eo,\$x,1)){last}}' git.yourdomain" as I have several hops to go through, "firewallhost" has another Host entry, describing how to get to it. With this, when I'm outside the lan I can ssh into the "git" host by invoking "ssh gitproxied.yourdomain", sftp and scp work too. So I often have an "extra" remote called originproxied or similar. cheers, martin ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2007-03-15 4:29 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-03-14 18:37 git protocol over port-forwarding Bill Lear 2007-03-14 21:05 ` Julian Phillips 2007-03-14 22:04 ` Bill Lear 2007-03-14 22:14 ` Martin Langhoff 2007-03-14 23:14 ` Jakub Narebski 2007-03-15 0:33 ` Bill Lear 2007-03-15 1:32 ` Bill Lear 2007-03-15 4:29 ` Martin Langhoff 2007-03-14 22:30 ` Julian Phillips 2007-03-14 21:07 ` Martin Langhoff
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).