Fixing connect (git via proxy) and debugging it
I tried connecting to github again via our strict firewall and http_proxy, which only allows 443 and 80.
corkscrew and simplier proxy tools do not work, and my machine which has 443 redirector had a harddisc crash, so I fixed connect by Shun-ichi Goto
at http://www.taiyo.co.jp/~gotoh/ssh/connect.c
See http://www.taiyo.co.jp/~gotoh/ssh/connect.html
Our squid balances between several session servers so I needed to add realm support.
That was easy. See http://gist.github.com/360940
.ssh/config:
=================
ProxyCommand connect -d -d -H proxy:8080 %h %p
Host github.com
User rurban
Port 22
Hostname github.com
IdentityFile ~/.ssh/proxy
TCPKeepAlive yes
IdentitiesOnly yesHost ssh.github.com
User rurban
Port 443
Hostname ssh.github.com
IdentityFile ~/.ssh/proxy1
TCPKeepAlive yes
IdentitiesOnly yes
=================
Reading from a http: url works now over the proxy.
.git/config:
[remote "origin"]
fetch = +refs/heads/*:refs/remotes/origin/*
url = http://github.com/mirrors/perl.git
But still no luck for writing via port 22
i.e.
[remote "github"]
fetch = +refs/heads/*:refs/remotes/origin/*
#read+write
url = rurban@ssh.github.com:rurban/perl.git
#read-only
url = http://github.com/rurban/perl.git
I used -d -d twice to print a hex encoded stream for both directions.
$ git push github
DEBUG: Reading parameter file(/home/urbanr/.connectrc) DEBUG: Parameter `HTTP_PROXY_USER' is set to `rurban' DEBUG: Parameter `HTTP_PROXY_PASSWORD' is set to `xxx' DEBUG: No direct address are specified. DEBUG: relay_method = HTTP (3) DEBUG: relay_host=proxy DEBUG: relay_port=8080 DEBUG: relay_user=rurban DEBUG: local_type=stdio DEBUG: dest_host=ssh.github.com DEBUG: dest_port=443 DEBUG: Program is $Revision: 100 $ DEBUG: checking ssh.github.com is for direct? DEBUG: ssh.github.com is for not direct. DEBUG: resolving host by name: proxy DEBUG: resolved: proxy (157.247.253.232) DEBUG: connecting to 157.247.253.232:8080 DEBUG: begin_http_relay() DEBUG: >>> "CONNECT ssh.github.com:443 HTTP/1.0\r\n" DEBUG: >>> "\r\n" DEBUG: <<< "HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )\r\n" DEBUG: <<< "Via: 1.1 ATGRZAS048\r\n" DEBUG: <<< "Proxy-Authenticate: Negotiate\r\n" DEBUG: Unsupported authentication type: negotiate DEBUG: <<< "Proxy-Authenticate: Kerberos\r\n" DEBUG: Unsupported authentication type: kerberos DEBUG: <<< "Proxy-Authenticate: NTLM\r\n" DEBUG: Unsupported authentication type: ntlm DEBUG: <<< "Proxy-Authenticate: Basic realm="atgrzas048"\r\n" DEBUG: realm: realm="atgrzas048" DEBUG: <<< "Connection: close\r\n" DEBUG: <<< "Proxy-Connection: close\r\n" DEBUG: <<< "Pragma: no-cache\r\n" DEBUG: <<< "Cache-Control: no-cache\r\n" DEBUG: <<< "Content-Type: text/html\r\n" DEBUG: <<< "Content-Length: 731 \r\n" DEBUG: <<< "\r\n" DEBUG: START_RETRY with proxy_auth_type=1 DEBUG: checking ssh.github.com is for direct? DEBUG: ssh.github.com is for not direct. DEBUG: resolving host by name: proxy DEBUG: resolved: proxy (157.247.253.232) DEBUG: connecting to 157.247.253.232:8080 DEBUG: begin_http_relay() DEBUG: >>> "CONNECT ssh.github.com:443 HTTP/1.0\r\n" DEBUG: >>> "Proxy-Authorization: Basic xxxxx realm="xxxxx"\r\n" DEBUG: >>> "\r\n" DEBUG: <<< "HTTP/1.1 200 Connection established\r\n" DEBUG: connected, start user session. DEBUG: <<< "Via: 1.1 PRIVATE\r\n" DEBUG: <<< "Connection: Keep-Alive\r\n" DEBUG: <<< "Proxy-Connection: Keep-Alive\r\n" DEBUG: <<< "\r\n" DEBUG: connected DEBUG: start relaying. DEBUG: recv 58 bytes DEBUG: <<< 53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 31 70 31 20 44 65 62 69 61 6e 2d 35 67 69 74 68 75 62 32 0d 0a 50 72 6f 74 6f 63 6f 6c 20 6d 69 73 6d 61 74 63 68 2e 0a DEBUG: >>> 53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 34 0d 0a 00 00 03 4c 06 14 e4 54 01 f2 7d 1a 72 0f 30 d8 17 00 39 cd ac 31 00 00 00 7e 64 69 66 66 69 65 2d 68 65 6c 6c 6d 61 6e 2d 67 Bad packet length 1349676916. 72Disconnecting: Packet corrupt 6f 75 70 2d 65 78 63 68 61 6efatal: The remote end hung up unexpectedly ...
Bad packet length 1349676916 sounds suspicious.
There we fire up our favorite tool perl.
We decode the binary hex via
perl -e'local $/;$_=<>;print chr(hex($_)) for split / /,$_'
received:
53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 31 70 31 20 44 65 62 69 61 6e 2d 35 67 69 74 68 75 62 32 0d 0a 50 72 6f 74 6f 63 6f 6c 20 6d 69 73 6d 61 74 63 68 2e 0a
=>
"SSH-2.0-OpenSSH_5.1p1 Debian-5github2
Protocol mismatch."
sent:
53 53 48 2d 32 2e 30 2d 4f 70 65 6e 53 53 48 5f 35 2e 34 0d 0a 00 00 03 4c 06 14 e4 54 01 f2 7d 1a 72 0f 30 d8 17 00 39 cd ac 31 00 00 00 7e 64 69 66 66 69 65 2d 68 65 6c 6c 6d 61 6e 2d 67 ...
=> "SSH-2.0-OpenSSH_5.4
L▒T▒}r0▒9ͬ1~diffie-hellman-gup-exchane-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1Issh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss▒aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se▒as128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.seihmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96ihmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96none,zlib@openssh.com,zlibnone,zlib@openssh.com,zlib"
Hmm, There seem to be just some left-over bytes in the proxy communication. Need to investigate further.
There is a new http-backend which allows you connect to git without ssh. This is much more firewall friendly. We use it with https and it clones, pulls and pushes with ease.
It is relatively new, you'll need git 1.7 or higher. Check it out here: http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html