Unable to establish ssh connection to eclipse gerrit via proxy using corkscrew

Question

At my institute, I have a restricted internet access only through a proxy. I am facing some serious problems in establishing a ssh connection to the gerrit code review system ( git.eclipse.org ) and thus unable to push any new patch to Gerrit.

For carrying out the above task, I firstly tried to tunnel SSH over HTTP using corkscrew, following the instructions given here This is what I did :

1. Installed corkscrew
2. Added ProxyCommand to ssh config
3. Added proxy username and proxy authentication password to file ~/.ssh/proxyauth

After this, I was successful in setting up a ssh connecting to github and also push/pull changes to my github repo.

But I am unable to connect to gerrit through ssh. Here is the exact error :

$ssh -p 29418 jgupta@git.eclipse.org
Proxy could not open connnection to git.eclipse.org:  Forbidden
ssh_exchange_identification: Connection closed by remote host

I am using Linux (RHEL 6.3 Beta x86_64) and git 1.7.11.1(latest).
The contents of my ~/.ssh/config are :

Host github.com
  Hostname ssh.github.com
  Port 443
  ProxyCommand corkscrew 202.141.80.22 3128 %h %p ~/.ssh/proxyauth

Host *
  ProxyCommand corkscrew 202.141.80.22 3128 %h %p ~/.ssh/proxyauth

The verbose (error)result for ssh request to git.eclipse.org is :

penSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /home/jayant/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec corkscrew 202.141.80.22 3128 git.eclipse.org 29418 ~/.ssh/proxyauth
debug1: permanently_drop_suid: 500
debug1: identity file /home/jayant/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/jayant/.ssh/id_rsa type 1
debug1: identity file /home/jayant/.ssh/id_dsa type -1
Proxy could not open connnection to git.eclipse.org:  Forbidden
ssh_exchange_identification: Connection closed by remote host

The remote url set in my git repo is :

$git remote -v
origin  http://git.eclipse.org/gitroot/etrice/org.eclipse.etrice.git (fetch)
origin  http://git.eclipse.org/gitroot/etrice/org.eclipse.etrice.git (push)
review  ssh://jgupta@git.eclipse.org:29418/etrice/org.eclipse.etrice.git (fetch)
review  ssh://jgupta@git.eclipse.org:29418/etrice/org.eclipse.etrice.git (push)

A few days ago, when I had direct internet access, i was able to connect via ssh and also push my patches, with the above remote settings.

I tried deleting the contents of the known_hosts but this didn't help.
Is this a problem at gerrit server?

Thanks in advance for your help.

Answer 1

I feel that the problem is due to non-supportive server configuration. This is what I found in a blog-post on web :

The basic idea is that you will somehow invoke socat(a utility similar to corkscrew), which will negotiate with the HTTP(S) proxy server using the CONNECT method to get you a clean pipe to the server on the far side.
...
Noting that many corporate firewalls block access to the CONNECT method on ports other than 443, the good folks at github have an ssh server listening on 443 if you use the host "ssh.github.com", so you can replace the hostname and the port in the above ssh config stanza as appropriate, and you're all set

The above extract has been taken from here.

What i feel is, since gerrit is being run on port 29418 and since proxies generally allow access to CONNECT method only for request on port 443 of remote host(server), so the ssh request for gerrit cannot to negotiated at the proxy.

This doesn't happen with github as it serves ssh requests on port 443 and the client utilities (like corkscrew) could negotiate proxies by sending send request on port 443 of the remote server(as done in the snapshot of .ssh/config above).

Does anyone know some other method for carrying out the above task?