Accessing a git repository via ssh behind a firewall

M

4

18

I would like to access (clone/push/pull) a private (via ssh) git repository while behind a corporate firewall that only allows http proxy access. I have written a robust Java (daemon) program (based on the JSCh class library) that will allow me to leverage local and remote port forwarding and I am hoping to leverage this but my brain hurts when I try to envision how to set this up.

The git repo depot (to coin a phrase) is at foo.server.com/var/git so the natural inclination, ignoring the fireall, to set up a clone would be:

$ git clone ssh://foo.server.com/var/git/myrepo.git

but the firewall will block this command. I'm inclined to try something like

$ git clone ssh://localhost:8022/var/git/myrepo.git

where localhost:8022 is forwarded to foo.server.com:22

So is this path worth pursuing? Is there any easier solution that is still secure? Are there pitfalls or gotchas I should be aware of?

Mascara answered 13/11, 2009 at 12:29 Comment(0)

D

9

Can you get a normal ssh (command-line) session going? If so, git should also work.

When using ssh, git should pick up your configuration options in .ssh/config. If that is not enough, you can point the environment variable GIT_SSH at a modified version of ssh (or shell script wrapper).

Doubleminded answered 13/11, 2009 at 12:35 Comment(5)

No. That's what is making this so hard. Only http is allowed through the firewall. There are SSH configuration hacks that I can use to get normal ssh commands to work but I do not believe these will help with the git command. I'd love to hear that I'm wrong and I will try this out when I get to work. – Mascara 13/11, 2009 at 12:41

Updated my answer: your SSH config hacks should work via git, too. – Doubleminded 13/11, 2009 at 12:49

Actually git simply invokes git-upload-pack / git-receive-pack when doing fetch / push via SSH (it does something like ssh git.example.com "git-upload-pack '/project.git'"). You can specify where to find git-upload-pack or git-receive-pack using appropriate options to git-fetch / git-push. – Jarib 13/11, 2009 at 13:49

@pajato0: Could you post a bit more detailed answer what you actually did here? I.e. what did you use as GIT_SSH? – Stalagmite 23/11, 2011 at 21:59

Sure. I set GIT_SSH=sshx where sshx is a command on my PATH variable that specifies a configuration file which uses corkscrew to bypass the firewall, i.e. sshx is "ssh -F ~/path/to/xconfig $*" and xconfig contains (under Host *) "ProxyCommand corkscrew proxy-host.foo.com 80 %h %p /path/to/proxyauth" – Mascara 26/11, 2011 at 4:47

I

40

Using socat and a .ssh/config like this:

Host=foo.server.com
ProxyCommand=socat - PROXY:your.proxy.ip:%h:%p,proxyport=3128,proxyauth=user:pwd

You should be able to ssh to foo.server.com and

git clone ssh://foo.server.com/var/git/myrepo.git

is expected to work.

Illusionary answered 24/11, 2011 at 10:14 Comment(2)

Nice, this is the final solution for this annoying problem. Awesome! Small post about this – Krebs 25/4, 2017 at 14:3

Thanks Gregor, your solution worked! Proxies are such a pain to deal with. Any help is appreciated! – Yarber 25/1, 2018 at 18:12

D

9

Can you get a normal ssh (command-line) session going? If so, git should also work.

When using ssh, git should pick up your configuration options in .ssh/config. If that is not enough, you can point the environment variable GIT_SSH at a modified version of ssh (or shell script wrapper).

Doubleminded answered 13/11, 2009 at 12:35 Comment(5)

No. That's what is making this so hard. Only http is allowed through the firewall. There are SSH configuration hacks that I can use to get normal ssh commands to work but I do not believe these will help with the git command. I'd love to hear that I'm wrong and I will try this out when I get to work. – Mascara 13/11, 2009 at 12:41

Updated my answer: your SSH config hacks should work via git, too. – Doubleminded 13/11, 2009 at 12:49

Actually git simply invokes git-upload-pack / git-receive-pack when doing fetch / push via SSH (it does something like ssh git.example.com "git-upload-pack '/project.git'"). You can specify where to find git-upload-pack or git-receive-pack using appropriate options to git-fetch / git-push. – Jarib 13/11, 2009 at 13:49

@pajato0: Could you post a bit more detailed answer what you actually did here? I.e. what did you use as GIT_SSH? – Stalagmite 23/11, 2011 at 21:59

Sure. I set GIT_SSH=sshx where sshx is a command on my PATH variable that specifies a configuration file which uses corkscrew to bypass the firewall, i.e. sshx is "ssh -F ~/path/to/xconfig $*" and xconfig contains (under Host *) "ProxyCommand corkscrew proxy-host.foo.com 80 %h %p /path/to/proxyauth" – Mascara 26/11, 2011 at 4:47

A

6

This is my setup working under a Linux machine (localhost on port 18081 is a proxy).

cat ~/.ssh/config
Host  github.com
  User git
  ProxyCommand nc -x localhost:18081 -Xconnect %h %p

Alemannic answered 8/7, 2020 at 16:43 Comment(1)

On Debian this requires the package "netcat-openbsd" (the version of netcat provided by "netcat-traditional" does not have the -x option). – Lightening 6/8, 2020 at 14:35

R

-1

When you do git clone http://example.com/gitproject.git or git clone https://example.com/gitproject.git, you're using the HTTP/HTTPS protocol.

Git respects http_proxy and https_proxy envrionment variables, so you can simply execute the following command in a shell:

export http_proxy=socks5://localhost:1080 https_proxy=socks5://localhost:1080

After that, your git command under the same shell will use the proxy for HTTP/HTTPS connections.

Retrogress answered 1/12, 2022 at 6:3 Comment(0)

Recommended topics

Hot tags