[MacPorts] #26530: Tunneling rsync through SSH to permit selfupdate from behind a firewall

MacPorts noreply at macports.org
Sat Sep 18 18:01:34 PDT 2010


#26530: Tunneling rsync through SSH to permit selfupdate from behind a firewall
----------------------------------+-----------------------------------------
 Reporter:  jemandel@…            |       Owner:  wsiegrist@…        
     Type:  enhancement           |      Status:  new                
 Priority:  Normal                |   Milestone:                     
Component:  server/hosting        |     Version:  1.9.1              
 Keywords:                        |        Port:                     
----------------------------------+-----------------------------------------
 I work in a large academic medical center whose IT has been outsourced to
 the lowest bidder. All ports except SSH, HTTP, and HTTPS are closed. This
 makes life inconvenient, but not impossible. This is my workaround for
 getting MacPorts to selfupdate.[[BR]]


 First, you must have a host outside the firewall to which you have access:


 {{{
 $ssh myhost.example.net

 }}}

 It must be able to reach rsync.macports.org (or a mirror), and have
 netcat. Confirm this with:


 {{{
 $ssh myhost.example.net "nc rsync.macports.org 873"
 @RSYNCD: 30.0

 }}}

 Having established this works, we will create a keypair to secure and
 simplify the process:


 {{{
 $ssh-keygen -f myrsynckey     (add any options you'd like)

 }}}

 Now prepend the connection command to the public key:


 {{{
 $echo -n 'command="nc rsync.macports.org 873",no-port-
 forwarding,no-X11-forwarding,no-agent-forwarding '|cat - myrsynckey.pub >
 /tmp/out && mv /tmp/out myrsynckey.pub

 }}}

 (Note that this is a single line)

 Transfer the file myrsynckey.pub to myhost.example.net and append it to
 authorized_keys2

 Confirm that this works with:


 {{{
 $ssh -i ~/.ssh/myrsynckey.pub myhost.example.net
 @RSYNCD: 30.0

 }}}

 Having gotten this working, we now need to modify macports.conf to use the
 tunnel. Append the following to the rsync_options:


 {{{
 "ssh myhost.example.net -i FullPathToMyHomeDirectory/.ssh/myrsynckey -l
 myUserName"

 }}}

 Note that selfupdate is run with sudo, and thus you must specify the
 username and path to the user directory (which otherwise would be root).
 It would be more secure to use an account on myhost.example.net that has
 --disabled-password.

-- 
Ticket URL: <https://trac.macports.org/ticket/26530>
MacPorts <http://www.macports.org/>
Ports system for Mac OS


More information about the macports-tickets mailing list