13

I have a git server that is behind a firewall. I can access the firewall from my home, but not the git server. However, I can access the git server from the firewall (that is, I can SSH to the firewall and then SSH from the firewall to the git server). I am looking to push and pull to the git repos from my home machine, and I thought the SSH ProxyCommand would do it. So I added the following to my SSH config file:

Host git_server
 HostName git_server.dom
 User user_git_server
 IdentityFile ~/.ssh/id_rsa
 ProxyCommand ssh firewall exec nc %h %p

Host firewall
 HostName firewall.dom
 User user_firewall
 IdentityFile ~/.ssh/id_rsa

With this setup, I can directly SSH to the git server by doing ssh git_server. However, git commands that need to talk to the server do not work. git remote show origin fails with the message:

ssh: connect to host git_server.dom port 22: Operation timed out
fatal: Could not read from remote repository.

Please make sure you have the correct access rights and the repository exists.

The url of the origin repo is 

ssh://user_git_server@git_server.dom/path/to/bare/repository/repo.git

I think I have most of the things in place, but am missing a small crucial piece. Any pointers to what I could be doing wrong?

Varun Vats
  • 489
  • 1
  • 4
  • 14

3 Answers3

5
ssh://user_git_server@git_server.dom/path/to/bare/repository/repo.git
                      ^^^^^^^^^^^^^^

You are using the wrong URL for your repository. Since your ssh config file has a host entry for git_server you need to use that host name in your repository URL as well, otherwise SSH will not use a ProxyCommand.

The correct URL should be either

ssh://user_git_server@git_server/path/to/bare/repository/repo.git

or simply

user_git_server@git_server:/path/to/bare/repository/repo.git
Koen.
  • 25,449
  • 7
  • 83
  • 78
innaM
  • 47,505
  • 4
  • 67
  • 87
  • 2
    Nope, that could work too. It is a [ssh-uri](http://stackoverflow.com/a/9835653/6309), ie a non-[scp syntax](http://stackoverflow.com/a/14134674/6309) which wouldn't use the `~/.ssh/config` file. And if you were to use the [scp syntax](http://www.hypexr.org/linux_scp_help.php) as you recommend, you wouldn't need to specify the user name: `ssh://git_server:/path/to/bare/repository/repo.git`. And you meant ['colon'](http://en.wikipedia.org/wiki/Colon_%28punctuation%29), not 'color' ;) – VonC Jun 15 '13 at 10:09
  • I'm not sure what exactly it is that made you say "Nope". When will a ssh-uri NOT use the ssh-config file? – innaM Jun 15 '13 at 12:44
  • Ah. Tested this and the colon has to go. – innaM Jun 15 '13 at 12:49
  • I meant "Nope, the OP isn't using the wrong url, just a different syntax which would not take advantage of the ssh config file". – VonC Jun 15 '13 at 13:14
  • Well, in that case it seems you're wrong. At least my ssh doesn't care about the syntax and will always use my configure file. – innaM Jun 15 '13 at 15:55
1

It is possible, as mentioned in "Git clone from remote ssh repository - change the machine on the remote network before executing the clone command", that you don't have the command netcat on the proxy server.

You have also another solution with socat, which will negotiate with the HTTP(S) proxy server using the CONNECT method to get you a clean pipe to the server on the far side. See socat.

host gh
    user git
    hostname github.com
    port 22
    proxycommand socat - PROXY:your.proxy.ip:%h:%p,proxyport=3128,proxyauth=user:pwd

Now you can just say (for example):

git clone gh:sitaramc/git-notes.git
jacktrade
  • 3,125
  • 2
  • 36
  • 50
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
0

Somehow connect-proxy and socat don't work on my side, but ncat does.

Here it is: ProxyCommand ncat --proxy-type http --proxy <ip>:<port> %h %p.

whatacold
  • 660
  • 7
  • 15