Hi, I asked this question months ago and got no answer. SI has gone through a version upgrade since then, but the functionality hasn't changed. I wonder if someone couldn't answer the question (or submit a patch to the tree) now.
I want to use si_updateclient through an ssh tunnel. I find it improves
reliability in addition to providing security.
The command I run from the command line is:
[EMAIL PROTECTED] ~]$ sudo si_updateclient --server golden --image testing
--ssh-user 'siuser -i /root/.ssh/updateclient_key'
the file /root/.ssh/updateclient_key is a passphraseless key so that the
process may run without user intervention.
The Golden server (golden) is running rsync but the port is firewalled
off - you may only connect to it from localhost. The whole ssh thing is
supposed to create a tunnel from the client to the server and port
forward some random local port to the rsync server on golden.
Problem is this - it fails. The ssh connection is made, but rsync fails
to connect to the locally opened port.
The reason: the si_updateclient script is creating a tunnel using the
following lines:
$port = int(rand 60000);
...
my $command="ssh -f -l $ssh_user -L $port:$server:" . $port . " $server sleep
5";
In essense, it is saying ssh -L12345:golden:12345 golden sleep 5
This will never work - the rsync daemon on golden is running on port 873
(or whatever port you choose), not a port randomly chosen by the client.
The following patch fixes it:
[EMAIL PROTECTED] ~]$ diff -c si_updateclient /usr/sbin/si_updateclient
-----------8<----------- cut here -----------8<------------
*** si_updateclient 2006-01-09 20:08:58.542650000 -0800
--- /usr/sbin/si_updateclient 2005-10-11 17:40:07.000000000 -0700
***************
*** 243,249 ****
}
# Setup the port forwarding
! my $command="ssh -f -l $ssh_user -L $port:$server:" . $port . " $server
sleep 5";
my $rc = 0xffff & system($command);
if ($rc != 0) { croak "FATAL: Failed to establish secure port forwarding
to $server!"; }
--- 243,249 ----
}
# Setup the port forwarding
! my $command="ssh -f -l $ssh_user -L $port:$server:873 $server sleep 5";
my $rc = 0xffff & system($command);
if ($rc != 0) { croak "FATAL: Failed to establish secure port forwarding
to $server!"; }
-----------8<---------- cut here ------------8<------------
unfortunately, it assumes you're running on port 873 instead of making
it configurable.
Here's my real question - does nobody use ssh support for
si_updateimage? It's been broken for a *long* time now, and I don't see
any complaints about it out there on the net. What gives? Is everyone
happy running their rsync cleartext over their network? Presumably,
you're running this thing in a protected network, so it's ok to not use
ssh.
-ben
--
Ben Hartshorne
email: [EMAIL PROTECTED]
http://ben.hartshorne.net
signature.asc
Description: Digital signature
