## Faking proxy via SSH tunnel

Some content isn’t available for every one, e.g. our frontends for administration at the university are only accessible with special IP’s. A similar problem is the download of scientific paper from platforms like PubMed or Oxford Journals. Our university subscribed to these journals, but unless there is a SSO like Shibboleth they are just available from inside the university network. If I want to download such a publication from home I need to pay about US$30 or have to go to an university computer and get it there because there is no proxy available at our university. But there must be workaround to surf with an university IP from home! And it is! All you need is an account for an *nix system at your company/library/university or whatever! Just create a SSH tunnel to it: -D8080 defines the entrance point of the tunnel, in this example it is port 8080. Every other port (that is not yet in use) is possible, but remember that you need to be root to use ports below 1024. Now a SOCKS5 proxy is emulated by SSH. This SOCKS proxy will routes network packages from your localhost to a server through SERVER.WITH.PREFFERED.IP . To apply it just configure your browser to use the proxy at localhost:8080 and check your IP address at any service like this one. But it’s a lot to do for just downloading a simple PDF, isn’t it? That need improvements! The main work is to configuring the browser, for example Firefox needs 6 clicks and some keyboard inputs. That’s nasty, but there is a add-on called Foxy Proxy that manages different proxy settings through an icon on the status bar of Firefox. It’s also able to use SOCKS proxies and you can define regex-lists to use different proxys for special URL’s. This speeds up the switching between different proxies. For other browsers you might find similar solutions. To optimize the creation of the tunnel you can first prepare SSH-keys without a passphrase and create a script containing: This script will create the tunnel (hence the SOCKS proxy) when it’s executed. So if you want a permanent tunnel you can call it from your $HOME/.loginrc or any other file that is executed when you login. Alternatively you can write a start-script…

## Git repository hosting with Debian

This is a translation of my German entry.

Until now I managed my code/work with Subversion and all was very well, but I decided to move to a distributed revision control system. Calling spade as a spade my choice was Git.

After some tests I had the problem, that there is (basically) no central repository where everyone can commit changes, but I’m working with other guys on homework/projects. So how to centralize a distributed revision control system? Nothing easier than that!

## Server set up

Software of choice is called gitosis, so install the following:

Gitosis will manage repositories and privileges on the repository server. The installation progress will add a new user to your system called gitosis (see /etc/passwd ). To initialize the master repository that will manage the rest just copy the SSH public key of your local account to /tmp/id_rsa.pub and do the following:

That’s it on the server, now you have a head-repository and you can manage everything on your local machine.

## Managing the manage-repository

Right back on your local machine you also have to install Git:

Now you’re able to check out the previous created managing repository that knows your SSH key:

The directory keydir holds known SSH keys from users that will work with you, gitosis.conf is the managing file. It is nearly empty on creation and may look like this:

To add a new repository just type something like this:

And to create a new group of users:

New users should give you their public key, so you can save it in the keydir directory with a name like user@host.pub . To commit the changes you’ve made type the following:

Now everybody that was enabled is allowed to checkout your projects. To initiate a new project you can do the following:

To commit a first file:

Voila, there is your repository! Check it out, change it, branch it, you know what to do!

## Publish a repository

With this configuration only you and a bunch of people can see what you are doing in your spare time, but what if you want to publish you work? You can create a git daemon that listens on port 9418 of your server, waiting for a user who wants clone your code:

This service will serve any repository content if you create a file called $REPOSITORYHOME/git-daemon-export-ok in this repository (content isn’t necessary). Everybody knows that such a daemon tends to die sometimes, so I created a cronjob: Now everybody can clone repositories with that special file that allows public cloning by: That’s it! not that difficult but one has to know what to do! Have fun with your repository. ## SSH authentication via public key This is a translation of my German article. SSH is a secure way to connect to a remote system, e.g. for administration or remote working. The communication between these two workstations is encrypted, so an enemy is not able to intercept/spy on the transferred data. Although the password that is sent to access the other system is encrypted, it’s still possible to brute force it. To decrease this risk one can turn off password authentication and just allow the authentication via SSH keys, so that the access is only possible for people that have a specific private keys. It is much harder to guess such a private key than guessing a password. To create such a key pair, containing a private and a public key, just run ssh-keygen -t rsa -b 4096 in your terminal. This command will create an RSA-key width 4096 bits (the more bits the harder to guess the key). The output may look like this: Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 16:59:cb:9f:55:b1:39:ee:b3:72:14:19:13:5c:60:4d user@abakus The key's randomart image is: +--[ RSA 4096]----+ | . +*E| | + . . =+| | o o .++| | . . o.o.| | S o ..| | . .. | | .o | | . .o| | o. | +-----------------+  Congratulations, your are now owner of a 4096 bit SSH-key! It is not necessary to assign a passphrase, so you can connect to the server without any password. But if anyone can get access to your private key he is also able to connect to any server that knows your public key! So it is very insecure and I recommend using a passphrase. For more options see man ssh-keygen. If you now take a look in your $HOME/.ssh/ directory you’ll find two keys, a public key named id_rsa.pub and a private key id_rsa. This private key is just for you, don’t share it with anyone!

To publish the public key, you can use the ssh-copy-id tool:

All that it does is appending the contents of your public key to the $HOME/.ssh/authorized_keys file of the user on the remote system (here remote is 192.168.0.111). If you don’t have the ssh-copy-id tool, you can do it manually but copying the contents of id_rsa.pub to the authorized_keys file of the remote user.. At the next login I don’t have to provide the password to the remote account, I only need the passphrase for the private key: If you didn’t supply a passphrase for the key you’ll never get asked for one. Last but not least we can disable the password authentication with the following settings in /etc/ssh/sshd_config : From now on, only people that have private keys, compatible to those public keys stored in $HOME/.ssh/authorized_keys on the server, can access the remote machine.