Project

General

Profile

Accessing cdcvs git repositories from private networks » History » Version 1

Version 1/3 - Next » - Current version
Christopher Green, 10/25/2012 05:28 PM


Accessing cdcvs git repositories from private networks

It is actually possible to access git repositories on cdcvs from machines on private networks using ssh tunnels. General instructions are available for different situations, or see below for the case where the publicly-accessible machine is cluck. If you have another machine you wish to use, see the applicable extra notes.

When the publicly-accessible machine is cluck and the private machine is grunt*, dsfr* or dseb*.

Obtain a public key.

Use ssh-keygen. Whether you use the default key in .ssh/id_dsa{,.pub} or create your own accessible with ssh-agent is up to you.

Get a manager to add your public key to .ssh/authorized_keys for each project you wish to use.

You should add a prefix setting the user's name in the environment to each key. :

cat <pub-key> | ssh p-<proj>@cdcvs.fnal.gov \
"printf 'environment=\"REMOTE_USER=<user>\" ' >tmp.\$\$ </dev/null; cat >>tmp.\$\$; cat tmp.\$\$ >>.ssh/authorized_keys"

Add your public key to .ssh/authorized_keys on cluck and the private machine.

mkdir -p ~/.ssh && chmod 700 ~/.ssh; cat <pub-key> >> ~/.ssh/authorized_keys

On the private machine, start an ssh tunnel.

ssh -n -N -T -q -f -L<port>:cdcvs.fnal.gov:22 cluckp

<port> should be >1024.

Clone your git repository.

git clone ssh://p-<proj>@localhost:<port>/cvs/projects/<proj>

When the publicly-accessible machine is cluck and you have a different private machine.

In addition to the above, /etc/ssh/ssh_config or ~/.ssh/config should contain the following clause:

Host cluckp
        GSSAPIAuthentication no
        GSSAPIDelegateCredentials no
        PasswordAuthentication no
        PubKeyAuthentication yes
        ForwardAgent yes
        ForwardX11Trusted yes
        ForwardX11 yes

When the publicly-accessible machine is not cluck.

  • There should be a clause on the public machine in /etc/ssh/ssh_config or ~/.ssh/config ensuring the above-specified options are applied for connections to the private machine.
  • The publicly-accessible machine should be running an sshd listening to port 22 on the private network which accepts PubKeyAuthentication.