Since a few months I’ve been involved in working with git to save our Infrastructure as Code in GitHub. But I don’t want to have to type in my password every time and do not like in clear text saved passwords, so I prefer ssh over https. But when working behind a proxy that doesn’t allow for traffic over port 22 (ssh) I had to spend some time to get it working. Without a proxy there is nothing to it.
First some background information. We connect to a “stepping stone” server that has some version of Windows as the O.S. and then use Putty to connect to our Linux host where we work on our code.
Our connection to Internet is via the proxy, but the proxy doesn’t allow traffic over port 22 (ssh/git). It does however allow traffic over port 80 (http) or 443 (https).
So the goal here is to:
- use a public/private key pair to authenticate myself at GitHub.com
- route traffic to GitHub.com via the proxy
- reroute port 22 to port 443
Generate a public/private key pair.
This can be done on the Linux prompt but then you either need to type your passphrase every time you use git (or have it cached in Linux), or use a key pair without a passphrase. I wanted to take this one step further and use Putty Authentication Agent (Pageant.exe) to cache my private key and forward authentication requests over Putty to Pageant.
With Putty Key Generator (puttygen.exe) you generate a public/private key pair. Just start the program and press the generate button.
You then need to generate some entropy by moving the mouse around:
And in the end you get something like this:
Ad 1) you should use a descriptive name like “github <accountname>”
Ad 2) you should use a sentence to protect your private key. Mind you: If you do not use a caching mechanism you need to type it in frequently
Ad 3) you should save your private key somewhere you consider safe. (It should not be accessible for other people)
Ad 4) you copy this whole text field (starting with ssh-rsa in this case up to and including the Key comment “rsa-key-20180325” which is repeated in that text field)
Once you have copied the public key you need to add it to your account at github.com.
Adding the public key in github.com
Log in to github.com and click on your icon:
Choose “Settings” and go to “SSH and GPG keys”:
There you press the “Add SSH key” button and you get to the next screen:
Give the Title a descriptive name so you can recognize/remember where you generated this key for, and in the Key field you paste the copied public key in. Then you press Add SSH key which results in something like this:
In your case the picture of the key will not be green but black as you haven’t used it yet. In case you no longer want this public/private key pair to have access to your github account you can Delete it here as well.
So now you can authenticate yourself with a private key that get checked by the public key you uploaded in github.
You can test that on a machine that has direct access to Internet and is able to use port 22 (For example a VirtualBox VM on your own laptop at home).
Route git traffic to github.com via the Proxy and change the port.
On the Linux server behind the company firewall, when logged on with your own account, you need to got to the “.ssh” directory. If it isn’t there yet you haven’t used ssh on that machine yet. (ssh <you>@<linuxserver> is enough and cancel the logging in). So change directory to .ssh in your home dir. Create a file called “config” with the contents.
# github.com Host github.com Hostname ssh.github.com ProxyCommand nc -X connect -x 192.168.x.y:8080 %h %p Port 443 ServerAliveInterval 20 User git #And if you use gitlab as well the entry should be like: # gitlab.com Host gitlab.com Hostname altssh.gitlab.com Port 443 ProxyCommand /usr/bin/nc -X connect -x 192.168.x.y:8080 %h %p ServerAliveInterval 20 User git
This is the part where you define that ssh call’s to server github.com should be rerouted to the proxy server 192.168.x.y on port 8080 (change that to your proxy details), and that the server should not be github.com but changed to ssh.github.com. That is the server where github allows you to use the git or ssh protocol to connect to over https (port 443). I’ve added the example for gitlab as well. There the hostname should be changed to altssh.gitlab.com as is done in the config above.
“nc” or “/usr/bin/nc” is the utility Netcat that does the work of changing hostname and port number for us. On our RedHat Linux 6 server it is installed by default.
The ServerAliveInterval 20 makes sure that the connection is kept alive by sending a packet every 20 seconds to prevent a “broken pipe”. And the User git makes sure you will not connect as your local Linux user to github.com but as user git.
But two things still needs to be done:
- Add your private key to Putty Authentication Agent
- Allow the Putty session to your Linux host to use Putty Authentication Agent
Add your private key to Putty Authentication Agent
On your “Stepping Stone Server” start the Putty Authentication Agent (Pageant.exe), right click on the icon (useally somewhere on the bottom of your screen to the right)
Select View Keys to see the keys already loaded or press Add Key to add your newly created private key. You get asked to type your passphrase. Via View Keys you can check if the key was loaded:
The obfuscated part shows the key fingerprint and the text to the right of that is the Key Comment you used. If the comment is bigger not all the text is visible. So make sure the Key Comment is distinguishable in the first part.
If you want to use the same key for authentication on the Linux host, then put the Public key part in a file called “authorized_keys”. This file should be located in the “.ssh” directory and have rw permissions for your local user only (chmod 0600 authorized_keys) and nobody else. If you need or want a different key pair for that make sure you load the corresponding private key as well.
Allow the Putty session to your Linux host to use Putty Authentication Agent
The Putty session that you use to connect to the Linux host needs to have the following checked:
So for the session go to “Connection” –> “SSH” –> “Auth” and check “Allow agent forwarding” to allow your terminal session on the Linux host to forward the authentication request with GitHub (or gitlab) to be handled by your Pageant process on the Stepping Stone server. For that last part you need to have checked the box “Attempt authentication using Pageant”.
Now you are all set to clone a GitHub repository on your Linux host and use key authentication.
Clone a git repository using the git/ssh protocol
Browse to GitHub.com, select the repository you have access to with your GitHub account (if it is a private repo), press the “Clone or download” button and make sure you select “Clone with SSH”. See the picture below.
Press the clipboard icon to copy the line starting with “email@example.com” and ending with “.git”.
That should work now (like it did for me).
P.S. If you need to authenticate your connection with the proxy service you probably need to have a look at the manual pages of “nc”. Or google it. I didn’t have to authenticate with the proxy service so I didn’t dive into that.