Daniel Carrera spake unto us the following wisdom: >> If you have to serve through ssh, you'd be much better off starting a >> netsync server somewhere on a localhost port, and tunneling that port >> through ssh. That will take care of both concurrency and your security >> concerns in a much cleaner fashion. > > How do you do that? I'm interested to hear more. What kind of access do > you need to do this? Can you do it if you are an un-privileged user? If > you can, that would be really neat. Are there any drawbacks to your > solution? (e.g. what if the server reboots? can you setup a cron job to > check that the server netsync server is up?).
It is possible to restrict the monotone server, but restricting it would break a large number of normal applications, as well. SELinux or similar technologies might be able to effectively restrict it, but I doubt any hosting service that would allow you to install and execute a monotone binary in your hosted space would be using such technologies, or have them configured to prevent this. It is also possible to restrict ssh port forwards, and this may be more likely. I don't have any idea how common such restrictions are. I use no services which restrict port forwards. Simply start mtn serve on the hosted server as 'mtn serve localhost:4691' (or whatever port -- any port over 1024 is available to non-root users, 4691 is the default monotone port). This will start a monotone netsync server which can be connected to *only* by processes on the local machine, over loopback. Then, to connect to the server, run something like the following on your workstation: ssh -L4691:localhost:4691 <server> This somewhat confusing command line says "Forward port 4691 (the leading 4691:) on the local host (-L) to port 4691 on the remote machine (localhost:4691)". See 'man ssh' for more on -L (and its closely-related cousin, -R). If you used a server port other than 4691 for 'mtn serve', replace the *final* 4691 in the above command with the port the server is using. Having done this, on your workstation again, run: mtn sync localhost <pattern> If you used a port other than 4691 as the first argument to ssh -L, provide it as localhost:<port> in the above command. This will connect to your workstation on a port which SSH tunnels through its own connection to the remote host and connects to the remote monotone server. As far as drawbacks, they are what you would expect; you have to have the SSH tunnel running to access monotone, the encrypted stream is overhead, etc. However, you pay all those penalties to use monotone via SSH in any fashion. Keeping the server running is the same as keeping any server running. There are various scripts out there which will help with that task. Ethan -- The laws that forbid the carrying of arms are laws [that have no remedy for evils]. They disarm only those who are neither inclined nor determined to commit crimes. -- Cesare Beccaria, "On Crimes and Punishments", 1764
signature.asc
Description: Digital signature
_______________________________________________ Monotone-devel mailing list Monotone-devel@nongnu.org http://lists.nongnu.org/mailman/listinfo/monotone-devel