Date: Thu, 12 Dec 1996 08:57:16 -0800 From: John Polstra <jdp@polstra.com> To: roberto@eurocontrol.fr Cc: hackers@freebsd.org, marcs@znep.com, jkh@freebsd.org Subject: Re: Fwd: CVSup with SSH Message-ID: <199612121657.IAA17705@austin.polstra.com> In-Reply-To: <Mutt.19961211160258.roberto@caerdonn.eurocontrol.fr> References: <Mutt.19961211160258.roberto@caerdonn.eurocontrol.fr>
next in thread | previous in thread | raw e-mail | index | archive | help
About running CVSup through a firewall by using SSH port forwarding, I
wrote:
> I've been thinking this over. I don't think it can be made to work
> with the current release of CVSup.
Good news, I was wrong! It seems to be possible after all. Here is the
recipe:
* Invoke ssh with:
-L 5999:localhost:5999 -R 6666:localhost:6666
^^^^...........^^^^ (any free port)
Note that it's "-L" in the first one and "-R" in the second one.
* Specify "host=localhost" in your cvsupfile.
* Invoke cvsup with "-P 6666".
I tried a quick test of it between two machines here, and it seemed
to work OK. I checked both sides of the link with netstat, and
the connections were all set up right through the ssh channel. I
did a small update which worked and completed successfully.
It definitely needs more thorough testing, though. To work with
CVSup, a proxy has to be very good about handling some strange
communication patterns. For example, it is normal and common that
at least one of the 4 unidirectional channels is completely full
and blocked by flow control. Yet the other 3 unidirectional channels
have to continue to flow unimpeded. If the proxy falls short in
that regard, deadlock results.
Please let me know how it works out in practice.
Here's how the connections are set up under this method:
* Client connects to port 5999 on its own host, and that gets forwarded
to port 5999 of the server host. Because of the forwarding, both
client and server think they're connected to "localhost".
* Client sets up a second socket, binds it to "localhost:6666", and
listens.
* Over the first channel, client instructs server to do a connect to
"localhost:6666".
* Server does the connect. Because it's "localhost", it connects to its
own host rather than the client's host. Sshd is already there,
listening for the connection. It forwards the connect to port 6666 on
the client host.
The key to it working is that localhost has the same address everywhere,
but it references different hosts depending on where you are. Thanks to
Marc Slemko for the idea!
John
--
John Polstra jdp@polstra.com
John D. Polstra & Co., Inc. Seattle, Washington USA
"Self-knowledge is always bad news." -- John Barth
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612121657.IAA17705>