Fixing connect (git via proxy) and debugging it

I tried connecting to github again via our strict firewall and http_proxy, which only allows 443 and 80.
corkscrew and simplier proxy tools do not work, and my machine which has 443 redirector had a harddisc crash, so I fixed connect by Shun-ichi Goto
at http://www.taiyo.co.jp/~gotoh/ssh/connect.c
See http://www.taiyo.co.jp/~gotoh/ssh/connect.html

Our squid balances between several session servers so I needed to add realm support.
That was easy. See http://gist.github.com/360940

.ssh/config:
=================


ProxyCommand connect -d -d -H proxy:8080 %h %p
Host github.com
User rurban
Port 22
Hostname github.com
IdentityFile ~/.ssh/proxy
TCPKeepAlive yes
IdentitiesOnly yes

Host ssh.github.com
User rurban
Port 443
Hostname ssh.github.com
IdentityFile ~/.ssh/proxy1
TCPKeepAlive yes
IdentitiesOnly yes


=================

Reading from a http: url works now over the proxy.
.git/config:

[remote "origin"]
fetch = +refs/heads/*:refs/remotes/origin/*
url = http://github.com/mirrors/perl.git

But still no luck for writing via port 22
i.e.

[remote "github"]
fetch = +refs/heads/*:refs/remotes/origin/*
#read+write
url = rurban@ssh.github.com:rurban/perl.git
#read-only
url = http://github.com/rurban/perl.git

I used -d -d twice to print a hex encoded stream for both directions.


$ git push github

DEBUG: Reading parameter file(/home/urbanr/.connectrc)
DEBUG: Parameter `HTTP_PROXY_USER' is set to `rurban'
DEBUG: Parameter `HTTP_PROXY_PASSWORD' is set to `xxx'
DEBUG: No direct address are specified.
DEBUG: relay_method = HTTP (3)
DEBUG: relay_host=proxy
DEBUG: relay_port=8080
DEBUG: relay_user=rurban
DEBUG: local_type=stdio
DEBUG: dest_host=ssh.github.com
DEBUG: dest_port=443
DEBUG: Program is $Revision: 100 $
DEBUG: checking ssh.github.com is for direct?
DEBUG: ssh.github.com is for not direct.
DEBUG: resolving host by name: proxy
DEBUG: resolved: proxy (157.247.253.232)
DEBUG: connecting to 157.247.253.232:8080
DEBUG: begin_http_relay()
DEBUG: >>> "CONNECT ssh.github.com:443 HTTP/1.0\r\n"
DEBUG: >>> "\r\n"
DEBUG: <<< "HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.  )\r\n"
DEBUG: <<< "Via: 1.1 ATGRZAS048\r\n"
DEBUG: <<< "Proxy-Authenticate: Negotiate\r\n"
DEBUG: Unsupported authentication type: negotiate
DEBUG: <<< "Proxy-Authenticate: Kerberos\r\n"
DEBUG: Unsupported authentication type: kerberos
DEBUG: <<< "Proxy-Authenticate: NTLM\r\n"
DEBUG: Unsupported authentication type: ntlm
DEBUG: <<< "Proxy-Authenticate: Basic realm="atgrzas048"\r\n"
DEBUG: realm: realm="atgrzas048"
DEBUG: <<< "Connection: close\r\n"
DEBUG: <<< "Proxy-Connection: close\r\n"
DEBUG: <<< "Pragma: no-cache\r\n"
DEBUG: <<< "Cache-Control: no-cache\r\n"
DEBUG: <<< "Content-Type: text/html\r\n"
DEBUG: <<< "Content-Length: 731   \r\n"
DEBUG: <<< "\r\n"
DEBUG: START_RETRY with proxy_auth_type=1
DEBUG: checking ssh.github.com is for direct?
DEBUG: ssh.github.com is for not direct.
DEBUG: resolving host by name: proxy
DEBUG: resolved: proxy (157.247.253.232)
DEBUG: connecting to 157.247.253.232:8080
DEBUG: begin_http_relay()
DEBUG: >>> "CONNECT ssh.github.com:443 HTTP/1.0\r\n"
DEBUG: >>> "Proxy-Authorization: Basic xxxxx realm="xxxxx"\r\n"
DEBUG: >>> "\r\n"
DEBUG: <<< "HTTP/1.1 200 Connection established\r\n"
DEBUG: connected, start user session.
DEBUG: <<< "Via: 1.1 PRIVATE\r\n"
DEBUG: <<< "Connection: Keep-Alive\r\n"
DEBUG: <<< "Proxy-Connection: Keep-Alive\r\n"
DEBUG: <<< "\r\n"
DEBUG: connected
DEBUG: start relaying.
DEBUG: recv 58 bytes
DEBUG: <<< 53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 31 70 31 20 44 65 62 69 61 6e 2d 35 67 69 74 68 75 62 32 0d 0a 50 72 6f 74 6f 63 6f 6c 20 6d 69 73 6d 61 74 63 68 2e 0a
DEBUG: >>> 53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 34 0d 0a 00 00 03 4c 06 14 e4 54 01 f2 7d 1a 72 0f 30 d8 17 00 39 cd ac 31 00 00 00 7e 64 69 66 66 69 65 2d 68 65 6c 6c 6d 61 6e 2d 67 Bad packet length 1349676916.
72Disconnecting: Packet corrupt
 6f 75 70 2d 65 78 63 68 61 6efatal:  The remote end hung up unexpectedly
...

Bad packet length 1349676916 sounds suspicious.
There we fire up our favorite tool perl.

We decode the binary hex via

perl -e'local $/;$_=<>;print chr(hex($_)) for split / /,$_'

received:
53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 31 70 31 20 44 65 62 69 61 6e 2d 35 67 69 74 68 75 62 32 0d 0a 50 72 6f 74 6f 63 6f 6c 20 6d 69 73 6d 61 74 63 68 2e 0a
=>
"SSH-2.0-OpenSSH_5.1p1 Debian-5github2
Protocol mismatch."

sent:
53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 34 0d 0a 00 00 03 4c 06 14 e4 54 01 f2 7d 1a 72 0f 30 d8 17 00 39 cd ac 31 00 00 00 7e 64 69 66 66 69 65 2d 68 65 6c 6c 6d 61 6e 2d 67 ...
=> "SSH-2.0-OpenSSH_5.4
L▒T▒}r0▒9ͬ1~diffie-hellman-gup-exchane-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1Issh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss▒aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se▒as128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.seihmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96ihmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96none,zlib@openssh.com,zlibnone,zlib@openssh.com,zlib"

Hmm, There seem to be just some left-over bytes in the proxy communication. Need to investigate further.

1 Comment

There is a new http-backend which allows you connect to git without ssh. This is much more firewall friendly. We use it with https and it clones, pulls and pushes with ease.

It is relatively new, you'll need git 1.7 or higher. Check it out here: http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html

Leave a comment

About Reini Urban

user-pic Working at cPanel on B::C (the perl-compiler), p2, types, parrot, B::Generate, cygwin perl and more guts (LLVM, jit, optimizations).