geom_gate userland utility improvements
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
John-Mark Gurney 29e65c2822 when in non-blocking mode, return _EAGAIN.. 4 years ago
ggatessh remove some debug prints... 4 years ago
libssh2 when in non-blocking mode, return _EAGAIN.. 4 years ago
shared when debugging flush to get messages out timely... 4 years ago
tests fix multiple sessions... 4 years ago
tools add a tool to see what requests have not completed, useful for debugging.. 4 years ago
.gitignore add man page for the rc.d script... 4 years ago
Makefile run the tests from the correct location... 4 years ago
Makefile.inc install to PREFIX if defined, make tests dir before install.. 4 years ago
README.md add more info on how to use ggatessh... 4 years ago

README.md

ggatessh

This is a variant of ggatec which uses sftp instead of talking to ggated. This allows the server to be any machine that is running ssh+sftp w/o requiring you to compile ggated for that platform. It also allows for strong authentication and encryption that is not provided by ggatec/d combo, or even iSCSI, which despite having authentication, it requires IPsec for security, otherwise it is possible for an attacker to take over the TCP session.

This version of ggatessh also supports a new sftp-server command, punchhole, that is used to implement BIO_DELETE (aka TRIM) commands to help reduce disk space usage on the server. This command is only implemented in the sftp-server at jmg’s sftp-firewall branch of openssh-portable. That branch also implements a new command line option to restrict which files able to be opened by sftp-server, allowing for strong protection on the server site which files the key can access.

For example, using the sftp-firewall branch, you can use the following in an authorized_keys file to ensure that the private key can only access one specific file:

restrict,command="/home/dir/git.repos/openssh-portable/sftp-server -a fstest/data.img -p open,close,read,write,fstat,fsync,punchhole" ssh-rsa AAAAB...5el ggatessh-test-key

If you are not using the custom compiled branch, just remove the -a option and it’s argument, and punchhole from the permitted requests. Bewarned that even though sftp w/ the key cannot list files w/ the this configuration (in fact, standard sftp client will error out), other sftp clients can open any file for reading or writing, including creating new files, so unless you fully trust where the ssh key is stored, it is highly recommended to run sftp-server from the sftp-firewall branch.

libssh2

ggatessh uses the libssh2 library with a few modifications. The build system will be updated to compile and use libssh2. There is at least one minor modification needed to turn off read-ahead for sftp support.

By default, libssh2 assumes that you’ll read a whole file sequentially in blocking mode, and if it does not do this, there will be pipeline stalls. In our case, this would result in lots of wasted bandwith as we will be seeking around the file to read and write, and so this feature needs to be disabled.

Testing

If you install the program, entr, you can use the top level target, devtest to automatically compile, install, and run the tests whenever a dependant file is modified. The libssh2 library will not be built, and needs to be built manually.

Debugging

If you need to debug libssh2, you first need to enable debugging in the library and recompile. To do that, from the libssh2 directory, run:

./configure --enable-debug --disable-shared
make clean && make -j 4

ggatessh will enable a default set of tracing when verbose (-v) is enabled.