This should be fixed from some time ago (rev 2923):
http://svn.sisuite.org/listing.php?repname=systemimager&path=%2Ftrunk%2Fsbin%2F&rev=2923&sc=1
Anyway, which version are you using? I suppose with the last 3.6.2
si_updateclient with ssh should work fine...
Regards,
-Andrea
Ben Hartshorne wrote:
Hi,
I asked this question months ago and got no answer. SI has gone through
a version upgrade since then, but the functionality hasn't changed. I
wonder if someone couldn't answer the question (or submit a patch to the
tree) now.
I want to use si_updateclient through an ssh tunnel. I find it improves
reliability in addition to providing security.
The command I run from the command line is:
[EMAIL PROTECTED] ~]$ sudo si_updateclient --server golden --image testing
--ssh-user 'siuser -i /root/.ssh/updateclient_key'
the file /root/.ssh/updateclient_key is a passphraseless key so that the
process may run without user intervention.
The Golden server (golden) is running rsync but the port is firewalled
off - you may only connect to it from localhost. The whole ssh thing is
supposed to create a tunnel from the client to the server and port
forward some random local port to the rsync server on golden.
Problem is this - it fails. The ssh connection is made, but rsync fails
to connect to the locally opened port.
The reason: the si_updateclient script is creating a tunnel using the
following lines:
$port = int(rand 60000);
...
my $command="ssh -f -l $ssh_user -L $port:$server:" . $port . " $server sleep
5";
In essense, it is saying ssh -L12345:golden:12345 golden sleep 5
This will never work - the rsync daemon on golden is running on port 873
(or whatever port you choose), not a port randomly chosen by the client.
The following patch fixes it:
[EMAIL PROTECTED] ~]$ diff -c si_updateclient /usr/sbin/si_updateclient
-----------8<----------- cut here -----------8<------------
*** si_updateclient 2006-01-09 20:08:58.542650000 -0800
--- /usr/sbin/si_updateclient 2005-10-11 17:40:07.000000000 -0700
***************
*** 243,249 ****
}
# Setup the port forwarding
! my $command="ssh -f -l $ssh_user -L $port:$server:" . $port . " $server sleep
5";
my $rc = 0xffff & system($command);
if ($rc != 0) { croak "FATAL: Failed to establish secure port forwarding to
$server!"; }
--- 243,249 ----
}
# Setup the port forwarding
! my $command="ssh -f -l $ssh_user -L $port:$server:873 $server sleep 5";
my $rc = 0xffff & system($command);
if ($rc != 0) { croak "FATAL: Failed to establish secure port forwarding to
$server!"; }
-----------8<---------- cut here ------------8<------------
unfortunately, it assumes you're running on port 873 instead of making
it configurable.
Here's my real question - does nobody use ssh support for
si_updateimage? It's been broken for a *long* time now, and I don't see
any complaints about it out there on the net. What gives? Is everyone
happy running their rsync cleartext over their network? Presumably,
you're running this thing in a protected network, so it's ok to not use
ssh.
-ben
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
Sisuite-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sisuite-users
