Re: [Savannah-help-public] FIXED: Cannot access project cvs repository via ssh from behind a NAT router

[Sylvain Beucler]

Hi,

Thanks for explaining what went wrong - and how to fix it :)

Would you like to add explanations for people with the same problem in
the Savannah wiki, for example at
http://savannah.gnu.org/maintenance/SshAccess ?

-- 
Sylvain

On Tue, Jul 29, 2008 at 10:47:20AM +0100, Peter Hoppe wrote:
> Hi,
> 
> this message is just for information purposes.
> 
> I had problems accessing the project's cvs repository using ssh. I am member 
> of the resp. project, so I have a valid
> savannah account. I also had uploaded my public ssh key to the savannah 
> website and an ssh test session showed that the
> savannah cvs server accepted my login credentials.
> 
> The problem turned out to be that I am located behind a D-Link ADSL router 
> (which is a NAT router) plus using OpenSSH.
> OpenSSH sets the 'type of service' field in the IP datagram after the 
> password has been given; some routers are known to
> choke on that (my D-Link ADSL router is amongst them), so the session hangs 
> after the password has been given:
> 
> > address@hidden:~$ ssh -vvv address@hidden
> > OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > [...]
> > Enter passphrase for key '/home/peter/.ssh/id_dsa':
> > debug1: read PEM private key done: type DSA
> > debug1: Authentication succeeded (publickey).
> > [...]
> > debug2: fd 5 setting TCP_NODELAY
> > debug2: callback done
> > debug2: channel 0: open confirm rwindow 0 rmax 32768
> 
> and from here on the session hangs.
> 
> 
> The fix is to make ssh send all its traffic via netcat. netcat won't set the 
> TOS field. Therefore, add a directive to
> the ssh config file '~/.ssh/config' (or, if that file doesn't exist, create 
> it):
> 
> >     ProxyCommand nc %h %p
> 
> 
> I set up my own ssh config file (/home/peter/.ssh/config), and it looks like 
> this:
> 
> > # This is the ssh client user configuration file.  See
> > # ssh_config(5) for more information.  This file provides defaults for
> > # this user, and the values can be changed on the command line.
> > 
> > # Configuration data is parsed as follows:
> > #  1. command line options
> > #  2. user-specific file
> > #  3. system-wide file
> > # Any configuration value is only changed the first time it is set.
> > # Thus, host-specific definitions should be at the beginning of the
> > # configuration file, and defaults at the end.
> > 
> > # Directive to overcome TOS issue with our D-Link NAT router. During 
> > session setup, OpenSSH sets the TOS
> > # (type of service) field after the user has submitted the password. Some 
> > routers are known to choke on this,
> > # with the result that the session hangs during buildup.
> > # As workaround we send our traffic via netcat which doesn't set the TOS 
> > field. 
> >     ProxyCommand nc %h %p
> 
> With this config file I was able to perform a cvs checkout from the project 
> repository via ssh.
> 
> Obviously, the developer needs to install netcat on his/her machine. To test 
> whether it's installed, one can type
> 
> > which nc
> 
> on the command line shell. If that command yields something like '/bin/nc/' 
> then most likely netcat is installed. If
> nothing is returned then netcat isn't installed.
> 
> I hope this helps any poor developer who sits behind one of those NAT routers 
> and cannot access the Savannah cvs
> repositories using ssh.
> 
> P
> 
> -- 
> Fame is probably the second most dangerous occupation after working in a coal 
> mine
>  - Moby