Re: [gentoo-user] Accessing CVS on non-standard port

2010-11-28 Thread Alan McKinnon 
Apparently, though unproven, at 02:45 on Friday 26 November 2010, Michael 
Orlitzky did opine thusly:

> On 11/24/2010 04:35 PM, Alan McKinnon wrote:
> > I need to get to the work CVS server from home. It's not exposed to the
> > internet but never fear! we have ssh -L and a convenient sshd host that
> > is on the internets. So, locally
> > 
> > ssh -Llocalhost::cvs.example.com:22 a...@gateway.example.com
> > 
> > and tell cvs that the server is localhost:
> > 
> > I do this all the time for lots of other stuff. Doesn't work for CVS
> > because there's no way to tell cvs to tell ssh what port to use.
> > 
> > Google gives lots of hits about using the host-specific Host directive in
> > ~/.ssh/config but that won't work for me - it assumes I can see the CVS
> > server directly and doesn't take into account that I have port
> > forwarding in the way.
> > 
> > Anyone know a way to get cvs to use any port other than 22? I'm receptive
> > to alternate cvs clients with this support, just not ones that tweak ssh
> > to do it.
> 
> Use a full-blown tunnel instead of redirection magic. 

[snip]

Sorry for the late reply to everyone, I was having a good long hard think 
about this.

A full-blown tunnel is attractive, except for this thing at work called The 
Security Forum and it has powers that the TSA in the States have wet dreams 
over. If I was caught running an un-sanctioned into the corporate network, 
there would be carnage.

Seeing as I am a founding member of said Forum, and it's most vocal member, 
and the person who brings 3 out of 4 cases before it so that users can 
understand how we do stuff, I *really* don't want to invoke the ire of my 
peers :-)

So I've gone with plan B: use the official VPN, even though it sucks. Lucky 
I'm on Linux so "route del" undoes most of it's sillyness.

Thanks anyway for all the responses.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Accessing CVS on non-standard port

2010-11-25 Thread Michael Orlitzky 
On 11/24/2010 04:35 PM, Alan McKinnon wrote:
> I need to get to the work CVS server from home. It's not exposed to the 
> internet but never fear! we have ssh -L and a convenient sshd host that is on 
> the internets. So, locally
> 
> ssh -Llocalhost::cvs.example.com:22 a...@gateway.example.com
> 
> and tell cvs that the server is localhost:
> 
> I do this all the time for lots of other stuff. Doesn't work for CVS because 
> there's no way to tell cvs to tell ssh what port to use. 
> 
> Google gives lots of hits about using the host-specific Host directive in 
> ~/.ssh/config but that won't work for me - it assumes I can see the CVS 
> server 
> directly and doesn't take into account that I have port forwarding in the way.
> 
> Anyone know a way to get cvs to use any port other than 22? I'm receptive to 
> alternate cvs clients with this support, just not ones that tweak ssh to do 
> it.
> 
> 

Use a full-blown tunnel instead of redirection magic. At home:


#!/bin/bash

modprobe tun

ssh -w 0:0 -C -f \
r...@work.example.com \
/root/ssh_tunnel

ifconfig tun0 10.0.2.2 netmask 255.255.255.252

# Replace 10.1.1.0/24 with your work subnet.
ip route add 10.1.1.0/24 via 10.0.2.1 dev tun0


And on the workstation at work:

#!/bin/bash
#
# /root/ssh_tunnel
#

# The internal IP of your workstation, on the work network.
INTERNAL_IP="10.1.1.x"

modprobe tun
ifconfig tun0 10.0.2.1 netmask 255.255.255.252
echo 1 > /proc/sys/net/ipv4/ip_forward

# You will probably not want to trash all of your iptables rules.
# Adjust as necessary.
iptables -F
iptables -F -t nat
iptables -P FORWARD DROP
iptables -A FORWARD -d 10.0.2.0/29 -j ACCEPT
iptables -A FORWARD -s 10.0.2.0/29 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.2.2 -j SNAT \
  --to-source $INTERNAL_IP


This worked fine for me for about a year. Eventually, I gave in and set
up a real-ass VPN with OpenVPN. If you need to access services remotely
often, I would suggest skipping the intermediate step and going straight
to OpenVPN.

Re: [gentoo-user] Accessing CVS on non-standard port

2010-11-24 Thread Alex Schuster 
Adam Carter writes:

> Hmm, I don't get it. Why would this .ssh/config not work?
> 
> Host gateway
>Hostname gateway.example.com 
>User alan
>LocalForward  cvs.example.com:22 
> 
> Host cvs
>Hostname localhost
>Port 
>User alan
> 
> You log in at gateway first, and during that session you can access the
> CVS server with 'ssh cvs', or use CVS via CVSROOT=:ext:cvs:/var/cvs.
> Can't you?
> 
> 
> You missed Alan's point - the ssh forwarding works, but cvs doesnt
> appear to support using a non-standard destination port.

Right, cvs doesn't support a port settings, as it it just uses ssh. And
ssh respects the .config, so it will use port  when connecting to
host 'cvs', whether this is being done directly with the ssh command, or
by using CVS. My SSH server also runs on a non-standart port, but CVS
works fine for me. Although I can reach the server directly, without the
need to create a tunnel first.

Wonko

Re: [gentoo-user] Accessing CVS on non-standard port

2010-11-24 Thread Adam Carter 
> Hmm, I don't get it. Why would this .ssh/config not work?
>
> Host gateway
>Hostname gateway.example.com
>User alan
>LocalForward  cvs.example.com:22
>
> Host cvs
>Hostname localhost
>Port 
>User alan
>
> You log in at gateway first, and during that session you can access the
> CVS server with 'ssh cvs', or use CVS via CVSROOT=:ext:cvs:/var/cvs.
> Can't you?
>

You missed Alan's point - the ssh forwarding works, but cvs doesnt appear to
support using a non-standard destination port.

So if cvs is that lame, perhaps an ugly iptables prerouting hack is the only
option?

Re: [gentoo-user] Accessing CVS on non-standard port

2010-11-24 Thread Alex Schuster 
Alan McKinnon writes:

> I need to get to the work CVS server from home. It's not exposed to the 
> internet but never fear! we have ssh -L and a convenient sshd host that is on 
> the internets. So, locally
> 
> ssh -Llocalhost::cvs.example.com:22 a...@gateway.example.com
> 
> and tell cvs that the server is localhost:
> 
> I do this all the time for lots of other stuff. Doesn't work for CVS because 
> there's no way to tell cvs to tell ssh what port to use. 
> 
> Google gives lots of hits about using the host-specific Host directive in 
> ~/.ssh/config but that won't work for me - it assumes I can see the CVS 
> server 
> directly and doesn't take into account that I have port forwarding in the way.
> 
> Anyone know a way to get cvs to use any port other than 22? I'm receptive to 
> alternate cvs clients with this support, just not ones that tweak ssh to do 
> it.

Hmm, I don't get it. Why would this .ssh/config not work?

Host gateway
Hostname gateway.example.com
User alan
LocalForward  cvs.example.com:22

Host cvs
Hostname localhost
Port 
User alan

You log in at gateway first, and during that session you can access the
CVS server with 'ssh cvs', or use CVS via CVSROOT=:ext:cvs:/var/cvs.
Can't you?

Wonko

[gentoo-user] Accessing CVS on non-standard port

2010-11-24 Thread Alan McKinnon 
I need to get to the work CVS server from home. It's not exposed to the 
internet but never fear! we have ssh -L and a convenient sshd host that is on 
the internets. So, locally

ssh -Llocalhost::cvs.example.com:22 a...@gateway.example.com

and tell cvs that the server is localhost:

I do this all the time for lots of other stuff. Doesn't work for CVS because 
there's no way to tell cvs to tell ssh what port to use. 

Google gives lots of hits about using the host-specific Host directive in 
~/.ssh/config but that won't work for me - it assumes I can see the CVS server 
directly and doesn't take into account that I have port forwarding in the way.

Anyone know a way to get cvs to use any port other than 22? I'm receptive to 
alternate cvs clients with this support, just not ones that tweak ssh to do 
it.


-- 
alan dot mckinnon at gmail dot com