Project

General

Profile

Accessing cdcvs git repositories from private networks » History » Version 1

Christopher Green, 10/25/2012 05:28 PM

1 1 Christopher Green
h1. Accessing cdcvs git repositories from private networks
2 1 Christopher Green
3 1 Christopher Green
It is actually possible to access git repositories on cdcvs from machines on private networks using ssh tunnels. "General instructions":http://randyfay.com/content/git-over-ssh-tunnel-through-firewall-or-vpn are available for different situations, or see below for the case where the publicly-accessible machine is cluck. If you have another machine you wish to use, see the applicable extra notes.
4 1 Christopher Green
5 1 Christopher Green
h2. When the publicly-accessible machine is cluck and the private machine is @grunt*@, @dsfr*@ or @dseb*@.
6 1 Christopher Green
7 1 Christopher Green
h3. Obtain a public key.
8 1 Christopher Green
9 1 Christopher Green
Use @ssh-keygen@. Whether you use the default key in @.ssh/id_dsa{,.pub}@ or create your own accessible with @ssh-agent@ is up to you.
10 1 Christopher Green
11 1 Christopher Green
h3. Get a manager to add your public key to @.ssh/authorized_keys@ for each project you wish to use.
12 1 Christopher Green
13 1 Christopher Green
You should add a prefix setting the user's name in the environment to each key. :<pre>cat <pub-key> | ssh p-<proj>@cdcvs.fnal.gov \
14 1 Christopher Green
"printf 'environment=\"REMOTE_USER=<user>\" ' >tmp.\$\$ </dev/null; cat >>tmp.\$\$; cat tmp.\$\$ >>.ssh/authorized_keys"</pre>
15 1 Christopher Green
16 1 Christopher Green
h3. Add your public key to @.ssh/authorized_keys@ on @cluck@ and the private machine.
17 1 Christopher Green
18 1 Christopher Green
<pre>mkdir -p ~/.ssh && chmod 700 ~/.ssh; cat <pub-key> >> ~/.ssh/authorized_keys</pre>
19 1 Christopher Green
20 1 Christopher Green
h3. On the private machine, start an ssh tunnel.
21 1 Christopher Green
22 1 Christopher Green
<pre>ssh -n -N -T -q -f -L<port>:cdcvs.fnal.gov:22 cluckp</pre>
23 1 Christopher Green
24 1 Christopher Green
@<port>@ should be >1024.
25 1 Christopher Green
26 1 Christopher Green
h3. Clone your git repository.
27 1 Christopher Green
28 1 Christopher Green
<pre>git clone ssh://p-<proj>@localhost:<port>/cvs/projects/<proj></pre>
29 1 Christopher Green
30 1 Christopher Green
h2. When the publicly-accessible machine is cluck and you have a different private machine.
31 1 Christopher Green
32 1 Christopher Green
In addition to the above, @/etc/ssh/ssh_config@ or @~/.ssh/config@ should contain the following clause:<pre>Host cluckp
33 1 Christopher Green
        GSSAPIAuthentication no
34 1 Christopher Green
        GSSAPIDelegateCredentials no
35 1 Christopher Green
        PasswordAuthentication no
36 1 Christopher Green
        PubKeyAuthentication yes
37 1 Christopher Green
        ForwardAgent yes
38 1 Christopher Green
        ForwardX11Trusted yes
39 1 Christopher Green
        ForwardX11 yes</pre>
40 1 Christopher Green
41 1 Christopher Green
h2. When the publicly-accessible machine is not cluck.
42 1 Christopher Green
43 1 Christopher Green
* There should be a clause on the public machine in @/etc/ssh/ssh_config@ or @~/.ssh/config@ ensuring the above-specified options are applied for connections to the private machine.
44 1 Christopher Green
* The publicly-accessible machine should be running an @sshd@ listening to port 22 on the private network which accepts @PubKeyAuthentication@.