openstack team mailing list archive

Thread
Date

Re: Gerrit Review + SSH

To: Ronak Shah <ronak@xxxxxxxxxxxxxxxxx>
From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Date: Thu, 4 Apr 2013 22:11:10 +0100
Cc: "openstack@xxxxxxxxxxxxxxxxxxx" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAMaEprXdzh2M2YrtgB9asG-+FwL9FvOG0WzmfFT9-4snrT_qYw@mail.gmail.com>
Reply-to: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
User-agent: Mutt/1.5.21 (2010-09-15)

On Thu, Apr 04, 2013 at 10:51:20AM -0700, Ronak Shah wrote:
> Hi,
> 
> As OS dev cycle involves Gerrit review tool which requires ssh into the
> gerrit server, I was wondering if any of you guys face problems where your
> company/org does not allow ssh to external hosts.
> 
> In general, what is the best practice in terms of environment for
> generating code review?

The traditional workaround when companies have insane firewalls blocking
SSH, is to run an SSH server on port 443, since firewalls typically
allow through any traffic on the HTTPS port, even if it isn't using the
HTTPS protocol :-) This workaround only fails if your company is also
doing a man-in-the-middle attack on HTTPS traffic[1]

GitHub actually have an SSH server on port 443 for exactly this reason

   https://help.github.com/articles/using-ssh-over-the-https-port

I don't know how hard it would be for OpenStack Infrastructure team
to officially make Gerrit available via port 443, in addition to the
normal SSH port.

Regards,
Daniel

[1] Yes some companies really do MITM attack all HTTPS connections
    their employees make :-(
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

Follow ups

Re: Gerrit Review + SSH
From: Jeremy Stanley, 2013-04-04

References

Gerrit Review + SSH
From: Ronak Shah, 2013-04-04