Pages

Saturday, 3 December 2011

Using-PuTTY-and-SSL-to-securely-access-GitHub-repositories-via-SSH

Using GitHub almost requires the use of ssh to access repositories securely. It is absolutely required to update repositories. Unfortunately, that can run afoul of the "IT overlords" in many corporate environments. At my workplace, a Microsoft ISA authenticating web proxy server is in place, restricting most outbound traffic.1 Specifically, port 22, the ssh port, is not allowed and that means I can't pull or push to my repositories on GitHub. I'm sure I'm not the only one in this situation.

However, if your proxy allows SSL connections (e.g., for banking, etc.) then there is a way around the problem. An SSL connection is meant to be encrypted and should be opaque to your proxy. What that means is the proxy has to allow direct connections in some circumstances and that opens the door for accessing your GitHub repositories from behind the firewall.
Using Port 443 for SSH Connections

Unfortunately, our proxy restricted these direct connections to port 443 only, the default SSL port. That means port 22, the ssh port, is out. However, with some help from the good folks at GitHub, plus some support from PuTTY, the Windows ssh client, I was able to use port 443 to connect to my GitHub repositories. I am on Windows XP, using the cygwin version of git (v. 1.5.6.4), and putty (0.60) for ssh communications. These instructions are specific for that setup.

Make sure plink (comes with PuTTY) is in your path, and further that it is being used over any ssh client that cygwin may install. You can check this by running "ssh" at the command line. It should say "PuTTY Link: command-line connection utility" or similar.
Using PuTTY, create and save a session for github with the following characteristics:
Set the host to ssh.github.com, port 443.
Under Connection / SSH / Auth, select your private key file for SSH authentication.
Under Connection / Proxy, select HTTP and enter appropriate information for the host and port.
Save your session with a name such as "gitproxy". Remember this name, it is critical.
Click "Open" - you should receive a login prompt. You are halfway there!
Start pageant, the putty authentication agent. Load the private key used above. If you do not use pageant, your git client will fail with the endless message:

Wrong passphrase
Wrong passphrase
Wrong passphrase
...

Clone your repository using http or https.

Add a remote URL to the repository. For the hostname, use "gitproxy" from above. The host name MUST be the same as the session name:

git remote add github git@gitproxy:

Push and pull to your heart's content!

My thanks to the good folks at GitHub and their hosting provider, EngineYard, who added the "ssh.github.com" server on port 443 specifically to address this problem.

If IT used a decent enterprise IP VPN solution, they could probably open just this port. But they don't. ↩

Category: None

Please login to comment.
10 Comments

Re: Article by Stefan Naewe (2008-08-27)

Thank You! Thank You! Thank You!

This is really good news!

To use this under Linux by Stefan Naewe (2008-08-27)

To use this feature under Linux one needs:
corkscrew
an entry in your ~/.ssh/config

Host gitproxy User git HostName ssh.github.com Port 443 ProxyCommand /path/to/corkscrew proxy.host proxy.port %h %p IdentityFile path/to/the/ocrrect/ssh.key

And there you go!

To use this under Linux by Stefan Naewe (2008-08-27)

(Why can't I edit my comments?)

The entry in .ssh/config should look like

Host gitproxy
User git
HostName ssh.github.com
Port 443
ProxyCommand /path/to/corkscrew proxy.host proxy.port %h %p
IdentityFile path/to/the/ocrrect/ssh.key

from http://blog.codeslower.com/2008/8/Using-PuTTY-and-SSL-to-securely-access-GitHub-repositories-via-SSH

No comments:

Post a Comment