putty - Accessing a remote mercurial repository through a ssh proxy under windows with tortoisehg
2013-11
I have a remote mercurial repository (managed by hg-gateway) on a server. Access to that server is not open to the general public; however, the firewall allows ssh proxying.
How do I configure a windows client to access that repository with tortoisehg?
Note that it is different from this, as in that question there is no proxying involved. I am looking for the windows equivalent of
Host remote-dev
user mercurialuser
ProxyCommand ssh -q firewalluser@firewall
for accessing a mercurial repo like
hg clone ssh://remote-dev/repo
I have found a working solution and I will post it below in the answers for the benefit of the community.
System administration assumptions are at the end of this post.
- download & install putty, plink, pageant and puttygen from here
- if you don't have a ssh key, launch puttygen and:
- if already have a linux-generated key:
- select 'load an existing private key file'
- select appropriate file (must change file extension filter)
- insert passphrase
- select 'save private key'
- else,
- select 'generate key'
- move mouse randomly
- select 'save private key'
- select 'save public key'
- if already have a linux-generated key:
- send your sysadmin the PUBLIC KEY not the private key! (sysadmins: read below)
- run a windows command prompt (start > run and type 'cmd') and launch 'pageant.exe'
- right-click on the icon in the icon bar, 'add key'
- select your PRIVATE key you saved before, insert passphrase
launch putty
- into hostname put: your repository server's IP address
- save session as '
remote-dev
' (any name is ok) - go to connection > proxy
- select 'local' for proxy type
- proxy hostname: your firewall DNS entry or IP address
- port:
22
(or whatever appropriate to ssh into the firewall) - username:
hg
(or whatever user on the firewall has your public ssh key in .ssh/authorized_files) - in 'telnet command or local proxy' replace content with '
FULLPATH\plink.exe -v -nc %host:%port %user@%proxyhost
' (note use the FULL path of executable plink.exe. like c:\plink.exe) - go to connection > data
- auto-login username: hg (or whatever user on the repository server has hg-gateway running)
- go back to 'session'
- click 'save' to save session
- click 'open'
you should see something like
Using username "hg". Authenticating with public key "imported-openssh-key" from agent Welcome to XXX code repository server! Your SSH access is restricted by hg-gateway. Summary of repos you have access to:
now download & install tortoisehg
- launch tortoisehg workbench
- file > clone repository
- source: ssh://
remote-dev
/repo-name
(remote-dev has to match whatever you called your session in putty!) - destination: pick your local destination
- click 'clone'
- that's it.
To allow a user access to the remote repo:
1. add the public ssh key to .ssh/authorized_keys
of user hg
on firewall
1. use hg-gateway
to add that user's key to the hg
user on server
A note: putty tends to generate keys in .ppk format; they have to be converted to a one-liner ssh key. Google is your friend here.
Assumptions:
- on the firewall there's a user named '
hg
' whose.ssh/autorhized_keys
file contains the public keys of all the users that must access the repository the file /etc/ssh/sshd_config of the firewall contains a line similar to:
Match Group dev ForceCommand nc -q0 reposerver_ip 22
so that the user CANNOT specify which hosts to connect to. User '
hg
' obviously belongs to unix group 'dev
'.
I access the Internet through an HTTP proxy firewall at college. And I need to login to a computer, via SSH, which is outside our network. I tried it as Linux command and on Windows using PuTTY. I also configured PuTTY to use our server's address. But still, "Proxy error: 403 forbidden" pops up. They must've blocked SSH access to outside systems. (college systems as accessible).
I can SSH a web server (not the proxy server) at the college, which I use to browse proxy-free by tunneling. Now this server allows to browse restricted sites, but still no SSH.
Any workaround, please?
It may be that the proxy is only allowing access to HTTP/HTTPS ports (80 or 443). I've worked around that by changing the SSH server to listed on port 443. That made the proxy I had to go through allow the connection, but if you can't change the SSH server then you may be out of luck.
If you can bypass the proxy for web, you can bypass it for SSH by tunneling SSH:
ssh -L 55555:remote-computer-to-ssh-to:22 login@webserver
and once that's in place:
ssh -oPort=55555 remote-login@localhost
This will give you an SSH tunnel to the webserver machine, which then forwards your SSH traffic to the remote machine.