Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ptp-user] Synchronized project over multi-hop SSH, no SSH tunnel



On Fri, Sep 26, 2014 at 1:28 PM, Rocky Dunlap <rocky.dunlap@xxxxxxxx> wrote:


On Thu, Sep 25, 2014 at 8:06 PM, Roland Schulz <roland@xxxxxxx> wrote:


On Thu, Sep 25, 2014 at 8:02 AM, Rocky Dunlap <rocky.dunlap@xxxxxxxx> wrote:
Roland,

Thank you for this comprehensive list of options.  This will be helpful in general for people who have to connect via an intermediate host.

For my case, I can use ProxyCommand (which I have set up in ~/.ssh/config) to give the appearance of connecting to the host directly (although I do not use -W).  Of course, this works from the command line.  Are you suggesting that there is a way to set up and/or utilize a ProxyCommand in Eclipse?

No this is something we haven't added yet. But it shouldn't be hard to add, so I can do it if it is needed


It would likely help in my case and I'm assuming that there are others out there with the same issue.  I would assume that many large government clusters have similar security precautions.  A built-in way to connect to remote machines behind gateways will likely be necessary to attract more users in big government labs.  Perhaps a rule of thumb could be: if I can connect via the command line, I should also be able to do so via Eclipse.  It does not seem likely to me that security policies will be changed just for Eclipse users - it has to go the other way around.  Just my two cents.

I uploaded a solution at https://git.eclipse.org/r/#/c/34086/. If you want to build from source you can try it out right away. Otherwise Greg will probably make a binary available soon.

Roland 
 
As a temporary solution: does either your final host (ssh -L2022:localhost:22 {host}) or the last gateway (ssh -L2022:{host}:22 gw) allow port forwarding? If so you can setup the port-forwarding on the command-line and use it in Eclipse. As Greg mentioned you can do multi-hop forwarding within PTP but it requires that each hop supports port-forwarding. If the problem isn't that port-forwarding isn't allowed, but only multiple channels, it might help to use "-N".


Port forwarding is disallowed on the system for security reasons.
 
Roland
 

Thanks!
Rocky

On Wed, Sep 24, 2014 at 6:04 PM, Roland Schulz <roland@xxxxxxx> wrote:
Hi,

there a couple of different ways how one can do ssh proxy forwarding. And in my experience at least one of them should work. If we know which one works for your machine we can suggest how to do that in PTP. Usually they are chainable so you can try to get a working tunnel for each step and then combine them.

1) Port forwarding
a) single:
ssh -L2022:{host}:22 {gw} -N & sleep 1; ssh localhost -p 2022
Works if port forwarding isn't disabled.
b) dynamic:
ssh -D9000 {gw} -N & sleep 1; ssh -o ProxyCommand="netcat -x localhost:9000 %h %p" {host}
Probably doesn't work either if a doesn't work. netcat can also be called nc. Only required locally so can be installed if not available.
c) tun:
Even less likely to work. Just mentioned for completeness.
2) ProxyCommand
a) ssh -W
ssh -o ProxyCommand='ssh {gw} -W %h:%p' {host} 
Works for ssh2 if not explicitly disabled
b) netcat/nc
ssh -o ProxyCommand="ssh {gw} 'netcat %h %p'" {host}
Works if netcat (sometimes also called nc) is installed. If you have full shell access you can install netcat remotely
c) bash redirect
ssh -o ProxyCommand="nohup ssh {gw} 'exec 3<>/dev/tcp/%h/%p;cat <&3 & cat >&3; kill $!' 2>/dev/null" {host}
Works with typical bash shell. If your default shell isn't bash you need to add a "/bin/bash -c".

{gw}: replace with gateway name. {host}: replace with (final) host you want to connect to

This doesn't list the myriad of other ways to do forwarding over non-SSH gateways (e.g. Socks or Http proxies).

At least 2c) should usually work. Of course you shouldn't do anything which is against the user-policy of the machine.

PTP currently only has support for 1a. I had the intention to allow other options: https://bugs.eclipse.org/bugs/show_bug.cgi?id=345329. But I never finished it.
If you let me know which options work I probably can tell you how to make it work with PTP.

Roland

On Wed, Sep 24, 2014 at 9:29 AM, Rocky Dunlap <rocky.dunlap@xxxxxxxx> wrote:
I am attempting to create an Eclipse synchronized project that will sync my local files to a NASA supercomputer that is only accessibly through a secure login node.  There are two levels of authentication - first the login node, then the cluster node, both require a password. Typically, you would set up a SSH tunnel for this sort of thing, although it appears that opening a separate channel for the tunnel is explicitly disallowed by the NASA security policy.

Do I have any options for syncing?  Or do I have to do some kind of manual file transfer when I want to compile on the remote machine?

Rocky



--
ORNL/UT Center for Molecular Biophysics cmb.ornl.gov
865-241-1537, ORNL PO BOX 2008 MS6309

_______________________________________________
ptp-user mailing list
ptp-user@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ptp-user




--
ORNL/UT Center for Molecular Biophysics cmb.ornl.gov
865-241-1537, ORNL PO BOX 2008 MS6309

_______________________________________________
ptp-user mailing list
ptp-user@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/ptp-user




--
ORNL/UT Center for Molecular Biophysics cmb.ornl.gov
865-241-1537, ORNL PO BOX 2008 MS6309

Back to the top