X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-0.1 required=5.0	tests=AWL,BAYES_00
X-Spam-Check-By: sourceware.org
From: "Maring, Steven" <Steven DOT Maring AT gentiva DOT com>
To: "cygwin AT cygwin DOT com" <cygwin AT cygwin DOT com>
Date: Thu, 23 Sep 2010 10:36:16 -0400
Subject: openssh port forwarding administratively prohibited
Message-ID: <664775FB2795E044BD3CAC00D0A0D9826F352782@FLTPNPEXC002.Gentiva.GHSNet.Com>
x-cr-puzzleid: {C914D095-44B4-444D-B659-93A3460C9405}
x-cr-hashedpuzzle: ARyA BagI Blwh ByHc DilC EA9m EIkE EUIL FVlN GF11 HGa2 HQVJ HbF4 H4cc IQPV Ih1K;1;YwB5AGcAdwBpAG4AQABjAHkAZwB3AGkAbgAuAGMAbwBtAA==;Sosha1_v1;7;{C914D095-44B4-444D-B659-93A3460C9405};cwB0AGUAdgBlAG4ALgBtAGEAcgBpAG4AZwBAAGcAZQBuAHQAaQB2AGEALgBjAG8AbQA=;Thu, 23 Sep 2010 14:36:16 GMT;bwBwAGUAbgBzAHMAaAAgAHAAbwByAHQAIABmAG8AcgB3AGEAcgBkAGkAbgBnACAAYQBkAG0AaQBuAGkAcwB0AHIAYQB0AGkAdgBlAGwAeQAgAHAAcgBvAGgAaQBiAGkAdABlAGQA
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

From a 50K foot perspective, what I'm trying to do is punch a hole through =
my corporate http proxy to get to github.  By itself, cygwin, along with op=
enssh and corkscrew, does not have a problem (i.e. remote git commands work=
).  However, I would also like to make use of the eGit Eclipse plugin, whic=
h unfortunately does not support the notion of a proxy.  So, I thought that=
 if I could setup a local port forwarding I might be able to get eGit to co=
nnect ... but it isn't working.

I've included the openssh, git, and corkscrew packages in my cygwin install=
.  I then ran ssh-host-config, but I didn't think actually running the sshd=
 via 'net start sshd' would be required.  The port forwarding does not seem=
 to work either way.

My only modifications to /etc /sshd_config, from default, are ...

AllowTcpForwarding yes
PermitTunnel yes


my ~/.ssh/config has ...

Host github.com
  User git
  HostName ssh.github.com
  Port 443
  ProxyCommand corkscrew 10.169.1.20 80 %h %p /home/ssmaring/.ssh/.corkscre=
w-auth
  IdentityFile /home/ssmaring/.ssh/id_rsa


Here is what works (I do the -N because github.com does not offer a PTY) ...

$ ssh -v -N git AT github DOT com
OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/ssmaring/.ssh/config
debug1: Applying options for github.com
debug1: Reading configuration data /etc/ssh_config
debug1: Executing proxy command: exec corkscrew 10.169.1.20 80 ssh.github.c=
om 443 /home/ssmaring/.ssh/.corkscrew-auth
debug1: permanently_drop_suid: 93351
debug1: identity file /home/ssmaring/.ssh/id_rsa type 1
debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 =
Debian-5github2
debug1: match: OpenSSH_5.1p1 Debian-5github2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host 'ssh.github.com' is known and matches the RSA host key.
debug1: Found key in /home/ssmaring/.ssh/known_hosts:3
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ssmaring/.ssh/id_rsa
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/ssmaring/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to ssh.github.com (via proxy).
debug1: Requesting no-more-sessions AT openssh DOT com
debug1: Entering interactive session.


If I start up a tunnel like this ...

$ ssh -L 22:github.com:22 -v -N git AT github DOT com
OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/ssmaring/.ssh/config
debug1: Applying options for github.com
debug1: Reading configuration data /etc/ssh_config
debug1: Executing proxy command: exec corkscrew 10.169.1.20 80 ssh.github.c=
om 443 /home/ssmaring/.ssh/.corkscrew-auth
debug1: permanently_drop_suid: 93351
debug1: identity file /home/ssmaring/.ssh/id_rsa type 1
debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 =
Debian-5github2
debug1: match: OpenSSH_5.1p1 Debian-5github2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
debug1: Host 'ssh.github.com' is known and matches the RSA host key.
debug1: Found key in /home/ssmaring/.ssh/known_hosts:3
debug1: found matching key w/out port
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ssmaring/.ssh/id_rsa
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/home/ssmaring/.ssh/id_rsa':
debug1: read PEM private key done: type RSA
debug1: Remote: Forced command: gerve smaring
debug1: Remote: Port forwarding disabled.
debug1: Remote: X11 forwarding disabled.
debug1: Remote: Agent forwarding disabled.
debug1: Remote: Pty allocation disabled.
debug1: Authentication succeeded (publickey).
Authenticated to ssh.github.com (via proxy).
debug1: Local connections to LOCALHOST:22 forwarded to remote address githu=
b.com:22
debug1: Local forwarding listening on 127.0.0.1 port 22.
debug1: channel 0: new [port listener]
debug1: Requesting no-more-sessions AT openssh DOT com
debug1: Entering interactive session.


and then try to connect from another console like this ...

$ ssh -v -N git AT localhost
OpenSSH_5.6p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/ssmaring/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/ssmaring/.ssh/id_rsa type 1
debug1: identity file /home/ssmaring/.ssh/id_rsa-cert type -1
debug1: identity file /home/ssmaring/.ssh/id_dsa type -1
debug1: identity file /home/ssmaring/.ssh/id_dsa-cert type -1
ssh_exchange_identification: Connection closed by remote host


then my tunnel says ...

debug1: Connection to port 22 forwarding to github.com port 22 requested.
debug1: channel 1: new [direct-tcpip]
channel 1: open failed: administratively prohibited: open failed
debug1: channel 1: free: direct-tcpip: listening port 22 for github.com por=
t 22, connect from 127.0.0.1 port 1130, nchannels 2


my guess is that since I'm trying to open a new connection and the only way=
 to connect to github.com is with a key pair, that things are being screwed=
 up by the localhost reference.

I'm not sure what to do to fix this though.

I've also tried removing the localhost entry in known_hosts and throwing in=
 a '-A' option, but that didn't help, not that I could do that from eGit an=
yway.

I'm also open to completely different strategies to get Eclipse/eGit on Win=
doze to connect to Github from behind an http proxy.

Thanks,
Steve Maring


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple