Bazaar

How to use BZR over a SSH tunnel via a HTTP proxy

Asked by RayH

Hi. I have used SSH and bzr quite a lot. I am very happy with bzr. It really helps us out with software version control and is so much better than CVS or subversion. Thanks.

However, one thing is driving me crazy at the moment.

Our bzr server is available on the Internet and I can successfully checkout BZR+SSH repositories on Internet based machines. So all of that is set up OK.

One of our customers has their machine in a split DNS environment with private addresses and a proxy to the internet.

I can connect to our machine using SSH from the internal machine + their HTTP proxy using e.g. Putty or plink and then get to a shell prompt on our machine. (I set up Putty to use a http proxy, with local windows username and password for the proxy authentication in the putty config screen)

I have saved this session from putty and can even type in:

plink -load "machine01"

to load an existing session and log in automatically using pageant stored certificates.

But I cannot get bzr to work via the proxy, or via this tunnel.

Question 1: Is it possible to use paramiko via a HTTP proxy to tunnel to an SSH server?

NB I need read write access to the repository: so https is not good enough.

Question2: I have tried tunneling a local port on the internal machine to the remote SSH machine which listens on port 1022 and connects via the tunnel,

e.g. plink plink.exe -L 1022:localhost:1022username@domain

I can telnet to localhost port 1022 and get an SSH prompt from the remote machine, but BZR will not connect when I try e.g.

bzr checkout bzr+ssh://me@127.0.0.1:1022/%2f/home/bzr/myrepository localdir

I get an error "file not found."

Question 3:Can I tell bzr to run ssh just via invoking e.g. plink with a pre-defined session that contains all of the tunneling information and usernames etc. or via a raw port?

Are there alternatives, like running bzr as a daemon on its own native port on the remote machine and tunneling to that?

Your help appreciated.

Question information

Language:
English Edit question
Status:
Solved
For:
Bazaar Edit question
Assignee:
No assignee Edit question
Solved by:
John A Meinel
Solved:
Last query:
Last reply:
Revision history for this message
Best John A Meinel (jameinel) said : 		#1

I do not know if paramiko can be set up to go through an http proxy to connect to a remote SSH connection.

I don't know where you are getting the %2f from (I believe that is an extra '/' character). You would generally write:

bzr co bzr+ssh://me@localhost:1022/home/bzr/myrepository localdir

(I don't think this is causing the problem, though.)

The 'file not found' error sounds more like we are unable to find a 'bzr' executable in the path on the remote side.

The only way I can think of to get bzr to run plink with custom commands would be to create a wrapper, and have it named 'plink.exe'. (I don't know if you can do this with a renamed .bat file, or specifically what win32 will let you get away with. Certainly you could write a trivial C program that does it, and compiles to the name plink.exe, though that is ugly.)

It is unfortunate that putty requires passing the config in. For 'openssh' it always reads its configuration (generally in ~/.ssh/config) so it knows based on the host name what configuration settings to apply.

You should be able to run "bzr serve --allow-writes --port XXX" on the server, and tunnel to that. The default (registered) port for bzr is 4155, but you can certainly change it as desired. Then you would connect as:

bzr co bzr://localhost:XXXX/home/bzr/myrepository

You sound like you know what you are doing with paths, I just want to mention that "checkout" wants a branch, not a repository, but I think you understand that.

One other possibility would be to use the ssh.exe from cygwin (it is what I personally do on win32.) That may be a larger dependency than you want to bring in, though.

Also, if you are able to discuss this on #bzr in irc.freenode.net, it is probably possible to get faster turnaround response.

Revision history for this message
RayH (ray-hunter) said : 		#2

I got there myself with this solution.

On our bzr server host:

log on via SSH and invoke a local server

sudo bzr server --directory=/home/bzr/myrepository

NB port 4155 is behind our firewall so this port is not visible on the internet.

use Putty to set up a tunnel:

in session tab
remotehost.mydomain.com port 1022 type SSH

in connection/proxy tab
proxy emea.proxy.theircompany.com port 8080 type HTTP
Username theirwindowsdomain\theirusername
local proxy command connect %host %port\n

in the SSH tunnels tab
Source port 4155,
destination localhosts:4155
type ipv4

start the session and log in via Putty from the target machine.

Then on the command line of the target machine
bzr checkout bzr://localhhost:4155/myproject/trunk localdir

it works.

great.

Revision history for this message
John A Meinel (jameinel) said : 		#3

You probably still need '--allow-writes' so that they can commit changes back to that repository.
But otherwise it sounds like you found something that works for you.

Revision history for this message
RayH (ray-hunter) said : 		#4

yep. you are correct --allow-writes was needed.
Just to show the full solution.

On our bzr server host:

log on via SSH and invoke a local server:
our_server> sudo bzr server --directory=/home/bzr/myrepository --allow-writes

NB port 4155 is behind our firewall so this port is not visible on the internet.

Install Putty and my privatekey on their machine. Start Pageant. Load my privae key.

use Putty to set up a tunnel from their machine:

in session tab
ourbzrserver.mydomain.com port 1022 type SSH
(our SSH server listens on 1022 to try to stop script kiddies)

in connection/proxy tab
proxy emea.proxy.theircompany.com port 8080 type HTTP
Username theirwindowsdomain\theirwindowsusername
local proxy command connect %host %port\n

in the SSH tunnels tab
Source port 4155,
destination localhosts:4155
type ipv4

start the Puttey session and log in via Putty from their machine to our machine.

Then on the command line of their machine

bzr checkout bzr://localhhost:4155/myproject/trunk localdir

bzr add *

bzr commit

Revision history for this message
RayH (ray-hunter) said : 		#5

Thanks John A Meinel, that solved my question.

Revision history for this message
John A Meinel (jameinel) said : 		#6

I'm not sure why you need to run the bzr server as root. I would generally recommend against that, unless you have a particular reason to do so.

Otherwise, it looks good.

Revision history for this message
PresuntoRJ (fabio-tleitao) said : 		#7

Of course you could run bzr on the fly, whenever you do get to the machine, but since its behind the firewall anyway, I believe you could just keep it running and a daemon or under inetd superserver.

I personally keep my under inetd.

There you could set to use a restricted user (e.g. bzruser ) and keep your repository under his home (/home/bzruser/myrepository).

I personally recommend it should be placed under /var/bzrroot, hence you set the correct and necessary permissions for this new user/group (bzruser) to get where needed and work with your data there.

There is an inetd.conf line here (http://doc.bazaar-vcs.org/bzr.0.18/server.htm) for reference, but you may need the --allow-writes as well.

And you still can get to it over the SSH tunnel with redirection.