Deploy APT updates over SSH tunnel

Consider network with separate host used as compiling/build farm. All builded RPM packages are published in APT repository and deployed to another hosts over HTTP.

The problem is that build farm is not visible from servers in DMZ zone. This note explains simple solution based on SSH port redirection feature.

How it works?

  1. SSH establishes secure connection from Intranet host to DMZ host.
  2. SSH listens on DMZ host on port 8000 and redirects all incoming connections through secure channel to port 80 of host.
  3. SSH remotely executes 'sudo apt-get' on DMZ host.
  4. APT connects to HTTP storage at via local port 8000.

Important note (12-Sep-2005): initial solution based on APT-via-FTP was completely unusable because FTP always establishes separate connection for data transfer (from server back to client in active mode, and from client to server in passive). This connection uses random port choiced from 48192-65535 values. There is no possibility to redirect data transfer to SSH channel. So you should use HTTP that's tunnelled with no problem. APT supports HTTP as client, and Mathopd or lighttpd are ideal answers on server side, even smaller and simpler than typical FTP daemon.


Step 1 [Intranet host]: Create SSH keypair for APT admin on DMZ host.

ssh-keygen -C "APT admin account" -f ssh-apt.key -t dsa
chmod 600 ssh-apt.key*

Step 2 [DMZ host]: Create APT admin account.

useradd -c "Executes APT commands as root" -m -k /dev/null -s /bin/sh aptadmin
mkdir -p -m700 ~aptadmin/.ssh
cat /mnt/disk/ >> ~aptadmin/.ssh/authorized_keys2
chmod 600 ~aptadmin/.ssh/authorized_keys2
chown -R aptadmin:aptadmin ~aptadmin

Step 3 [DMZ host]: Enable SSH login for aptadmin without entering password. Edit your /etc/openssh/sshd_config:

AllowUsers aptadmin <other users...>
PubkeyAuthentication yes   # enabled by default
AllowTcpForwarding yes     # enabled by default
Apply it: root@dmzhost# service sshd reload.
Test it: root@intranet# ssh -l aptadmin -i ssh-apt.key dmzhost hostname

Step 4 [DMZ host]: Enable running APT commands by aptadmin under root privileges without entering password. Edit your /etc/sudoers by visudo command:

%aptadmin ALL = NOPASSWD: /usr/bin/apt-*
Test it: aptadmin@dmzhost$ sudo apt-cache search openssh

Step 5 [DMZ host]: Configure APT client. Edit your /etc/apt/sources.list:

# Line format: type url arch name
# Consider this record is used on Intranet clients
#rpm ix86 miscpkgs

# This value should be used on DMZ hosts
rpm http://localhost:8000/pub/apt ix86 miscpkgs

Step 6 [Intranet host]: Testing and scheduling.

ssh -l aptadmin -R -i ssh-apt.key \
    "sudo apt-get update && sudo apt-get upgrade"
When this command is executed on build farm, you can replace hostname '' to 'localhost'.

Well, if this command works fine, add it to /etc/cron.daily.

Last changed at 12 September 2005 MSD 00:23
Have comments? Mail me.

Хостинг от uCoz