Ticket #26530 (new enhancement)
Tunneling rsync through SSH to permit selfupdate from behind a firewall
|Reported by:||jemandel@…||Owned by:||cal@…|
I work in a large academic medical center whose IT has been outsourced to the lowest bidder. All ports except SSH, HTTP, and HTTPS are closed. This makes life inconvenient, but not impossible. This is my workaround for getting MacPorts to selfupdate.
First, you must have a host outside the firewall to which you have access:
It must be able to reach rsync.macports.org (or a mirror), and have netcat. Confirm this with:
$ssh myhost.example.net "nc rsync.macports.org 873" @RSYNCD: 30.0
Having established this works, we will create a keypair to secure and simplify the process:
$ssh-keygen -f myrsynckey (add any options you'd like)
Now prepend the connection command to the public key:
$echo -n 'command="nc rsync.macports.org 873",no-port-forwarding,no-X11-forwarding,no-agent-forwarding '|cat - myrsynckey.pub > /tmp/out && mv /tmp/out myrsynckey.pub
(Note that this is a single line)
Transfer the file myrsynckey.pub to myhost.example.net and append it to authorized_keys2
Confirm that this works with:
$ssh -i ~/.ssh/myrsynckey.pub myhost.example.net @RSYNCD: 30.0
Having gotten this working, we now need to modify macports.conf to use the tunnel. Append the following to the rsync_options:
"ssh myhost.example.net -i FullPathToMyHomeDirectory/.ssh/myrsynckey -l myUserName"
Note that selfupdate is run with sudo, and thus you must specify the username and path to the user directory (which otherwise would be root). It would be more secure to use an account on myhost.example.net that has --disabled-password.