[MacPorts] #26530: Tunneling rsync through SSH to permit selfupdate from behind a firewall
MacPorts
noreply at macports.org
Sat Sep 18 18:01:34 PDT 2010
#26530: Tunneling rsync through SSH to permit selfupdate from behind a firewall
----------------------------------+-----------------------------------------
Reporter: jemandel@… | Owner: wsiegrist@…
Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: server/hosting | Version: 1.9.1
Keywords: | Port:
----------------------------------+-----------------------------------------
I work in a large academic medical center whose IT has been outsourced to
the lowest bidder. All ports except SSH, HTTP, and HTTPS are closed. This
makes life inconvenient, but not impossible. This is my workaround for
getting MacPorts to selfupdate.[[BR]]
First, you must have a host outside the firewall to which you have access:
{{{
$ssh myhost.example.net
}}}
It must be able to reach rsync.macports.org (or a mirror), and have
netcat. Confirm this with:
{{{
$ssh myhost.example.net "nc rsync.macports.org 873"
@RSYNCD: 30.0
}}}
Having established this works, we will create a keypair to secure and
simplify the process:
{{{
$ssh-keygen -f myrsynckey (add any options you'd like)
}}}
Now prepend the connection command to the public key:
{{{
$echo -n 'command="nc rsync.macports.org 873",no-port-
forwarding,no-X11-forwarding,no-agent-forwarding '|cat - myrsynckey.pub >
/tmp/out && mv /tmp/out myrsynckey.pub
}}}
(Note that this is a single line)
Transfer the file myrsynckey.pub to myhost.example.net and append it to
authorized_keys2
Confirm that this works with:
{{{
$ssh -i ~/.ssh/myrsynckey.pub myhost.example.net
@RSYNCD: 30.0
}}}
Having gotten this working, we now need to modify macports.conf to use the
tunnel. Append the following to the rsync_options:
{{{
"ssh myhost.example.net -i FullPathToMyHomeDirectory/.ssh/myrsynckey -l
myUserName"
}}}
Note that selfupdate is run with sudo, and thus you must specify the
username and path to the user directory (which otherwise would be root).
It would be more secure to use an account on myhost.example.net that has
--disabled-password.
--
Ticket URL: <https://trac.macports.org/ticket/26530>
MacPorts <http://www.macports.org/>
Ports system for Mac OS
More information about the macports-tickets
mailing list