svn over 2 ssh tunnels

4
votes

I am cracking my nut here trying to get this to work, maybe someone can help me understand this a bit better. I found a question that is almost what I want to do called Accessing Subversion repository with 2 hops using svn+ssh protocol

Here is what I want to do:

I want to checkout a svn project on my Live server, but the svn server is not accessible on the internet. So I need to ssh tunnel into my main Network server, then into the SVN server and then checkout the files to the Live server

Here some fictive settings for clarity:

  1. The Live Server : (eth0) 10.123.210.123
  2. The Network Server : (eth0) 10.89.123.123 and (eth1) 192.168.1.1
  3. The SVN Server : (eth0) 192.168.1.8

All of the server authenticate with key files on port 9222 and server has a user admin with the valid key. So admin can log in to each server from almost any server, Live can't get to SVN directly logically.

So according to @epsilon-prime in the above mentioned post I should setup /home/admin/.ssh/config on the Live server with

Host mysubversionserver
        HostName = 10.89.123.123
        ProxyCommand = ssh 192.168.1.1 /usr/local/bin/nc -w 10 192.168.1.8 %p
        ForwardX11 = no
        User = admin
        ForwardAgent = yes

Besides the fact that I can't connect with this setup, I don't really understand how this will help me get to the subversion server. Once use this ssh I am on the subversion server, but I need to be on the Live server with this tunnel.... or am I just missing something really obvious ?

2
svnsshssh-tunnel
That looks reasonable to me. It might be easier, though, to run ssh -P 9223:svn-server:9222 network-server though from your live server, to establish a port-forward of the svn-server's ssh-port to local port 9223; you can then use ssh -P 9223 localhost to connect to the svn server over the forwarded SSH connection.Rup
Ok so far I figure that the config is wrong, Host= must be HostName= This gets a bit further, but still I get a failed connect with ssh: connect to host 192.168.1.1 port 9222: Connection timed out If I ssh into the server and do a nslookup on that ip it works... I am pulling out my hair over here..Adesso
So here I am at home on Windows with putty, doing pretty much the same thing and it works with no sweat. Remote connect to Network server, with locahost:9223 to SVNServer:9222... then another instance of putty to localhost:9223 and I am in... This can't be that difficult in Linux. I have to get this right, it's buggin me nowAdesso

2 Answers

3
votes

So after much reading and some more reading I finally found some explanations for my questions, and came to realise that this config will not work, but rather that @Rup was right even though his syntax was a bit wrong.

To close the question anyway and have some usefull information for other searching souls, here is the correct way of making the tunnel with the config files in linux 

Host FireWallServer
        HostName <FireWall Server IP>
        User admin
        IdentityFile ~/.ssh/id_rsa
        PasswordAuthentication no
        Compression yes
        ForwardX11 no

Host SVNServer
        ProxyCommand ssh FireWallServer nc <SVN Server IP> %p
        ForwardAgent yes

You first friend would be man ssh_config as it contains most off the info you need. A nice explanation I found on Transparent Multi-hop SSH So the final best solution was to do a Local port foward tunnel:

ssh -L 9223:<SVN Server IP>:80 admin@<FireWall Server IP>

Now open another terminal and do your svn query on this tunnel:

svn info http://localhost:9223/<path to your svn repo>

A couple of must haves are however required for this way to work:

  1. All severs must be configured to accept ssh on port 9222 for user admin with a ssh_key
  2. All servers must have the ssh Daemon configure to use the same port
  3. SVN must be configured to run over apache with mod_dav

Hope it is of use to someone :)

0
votes

To make SVN work through a proxy server you will probably need special settings in the subversion configuration file on the Live server, for example in ~/.subversion/servers :

[global]
http-proxy-host=10.89.123.123
http-proxy-port=9222

In your case the proxy server would probably be the network server which you use to connect to the live system (in case of doubt ask your network administrator). If you want to use other commands like wget behind a proxy server to access the internet, it is useful to set the environment variable http_proxy.