Tunneling rsync through SSH to permit selfupdate from behind a firewall

[jemandel@…]

I work in a large academic medical center whose IT has been outsourced to the lowest bidder. All ports except SSH, HTTP, and HTTPS are closed. This makes life inconvenient, but not impossible. This is my workaround for getting MacPorts to selfupdate.

First, you must have a host outside the firewall to which you have access:

$ssh myhost.example.net

It must be able to reach rsync.macports.org (or a mirror), and have netcat. Confirm this with:

$ssh myhost.example.net "nc rsync.macports.org 873"
@RSYNCD: 30.0

Having established this works, we will create a keypair to secure and simplify the process:

$ssh-keygen -f myrsynckey     (add any options you'd like)

Now prepend the connection command to the public key:

$echo -n 'command="nc rsync.macports.org 873",no-port-forwarding,no-X11-forwarding,no-agent-forwarding '|cat - myrsynckey.pub > /tmp/out && mv /tmp/out myrsynckey.pub

(Note that this is a single line)

Transfer the file myrsynckey.pub to myhost.example.net and append it to authorized_keys2

Confirm that this works with:

$ssh -i ~/.ssh/myrsynckey.pub myhost.example.net
@RSYNCD: 30.0

Having gotten this working, we now need to modify macports.conf to use the tunnel. Append the following to the rsync_options:

"ssh myhost.example.net -i FullPathToMyHomeDirectory/.ssh/myrsynckey -l myUserName"

Note that selfupdate is run with sudo, and thus you must specify the username and path to the user directory (which otherwise would be root). It would be more secure to use an account on myhost.example.net that has --disabled-password.

[jmroot (Joshua Root)]

Are you requesting that we make some change to our servers or the MP code, or would it make more sense for you to add this info as a HOWTO entry on the wiki alongside howto/PortTreeTarball and howto/SyncingWithSVN?

[macports@…]

Wow, this is a very elaborate way to connect to the server. Here is another way:

• edit the /opt/local/etc/macports/macports.conf file by setting: rsync_server localhost:12345
• build a ssh tunnel to the macports rsync server via your outside machine: ssh -L 12345:rsync.macports.org:873 your-user@…
• sudo port selfupdate (not accidentally on your outside machine ;-)

Kind Regards Nikolas Mayr

[jemandel@…]

That will certainly work. My solution doesn't grant the user on machine 1 general access to machine 2. Thus, I can distribute a private key for machine 2 without having to worry about what the user on machine 1 might do with it. The other advantage is that I don't have to remember to bring up the proxy from the command line before doing selfupdate. I don't know that there are that many people in the same situation as I'm in (paranoid and incompetent IT blocking port 873 but not 22), but if so, you could implement this on rsync.macports.org and eliminate the need for a third machine in the transaction.

Thanks, Jeff E Mandel

[neverpanic (Clemens Lang)]

Bill, what's your opinion on this?

If the rsync mirror supports it we could certainly build a fallback into the sync code to use that instead, if possible. Or, somebody else could be the bounce host, but I assume it would quickly hit the rate limiting on the rsync server.

[wsiegrist@…]

In general, it does not matter to me how you connect to the rsync service, but we're not going to allow SSH access to rsync.macports.org.

[neverpanic (Clemens Lang)]

This is not going to happen. If anything, we're going to implement HTTP or Git syncing, but not SSH tunneling.

[cooljeanius (Eric Gallager)]

Cc Me!