How I get access to my main Perforce depot with out shell access on the Perforce server or allowing an inbound firewall policy to the LAN. The following diagram describes the use of ssh port forwarding with the Perforce p4broker on unprivileged ports by a unprivileged user.
- Generate a p4broker config file
p4broker -C >> p4broker.conf
- Modify the p4broker.conf target and listen ports and protocols as needed.
target = ssl:perforce.server.1666.com:1667;
listen = localhost:1666; # This could be a SSL Port if wanted.
This will make an SSL based connection between the proxy host and the Perforce server, Then present a unencrypted port to only local users of the proxy server.
As that we will be using SSH port forwarding to present are p4broker port to the DMZ host.
I don't necessarily need to run the p4broker listen port with the SSL protocol.
- Initialize a ssh reverse port forward connect from the LAN.
This will make available port 1666 to the DMZ host web.application.com on localhost.
devguy@ssh.p4broker.com:~$ ssh -R 1666:localhost:1666 devguy@web.application.com
Now that we have connected to our DMZ host:
devguy@web.application.com~$ netstat -an |grep 1666
tcp 0 0 127.0.0.1:1666 0.0.0.0:* LISTEN
Lets see if we can get the port forward to work with a p4 info and a list of Perforce users.
devguy@web.application.com~$ p4 -p 127.0.0.1:1666 users
devguy <devguy@web.application.com> (devguy) accessed 2014/12/14
devguy@web.application.com~$ p4 -p 127.0.0.1:1666 info
User name: devguy
Client name: web.application.com-cfg
Client host: web.application.com
Client unknown.
Current directory: /home/devguy
Peer address: 192.168.2.100:51708
Client address: 127.0.0.1
Server address: ssl:perforce.server.1666.com:1667
Server root: /opt/perforce/servers/1666/root
Server date: 2014/12/14 18:05:30 -0800 PST
Server uptime: 02:53:33
Server version: P4D/LINUX26X86_64/2014.2/962050 (2014/11/13)
Broker address: localhost:1666
Broker version: P4BROKER/LINUX26X86_64//2014.2/962050
Server license: none
Case Handling: sensitive
- SSH and Perforce login session management is important so log off when your done.
If you leave idle SSH connections hanging around this solution is not much better then a direct connection to the Perforce server. My Perforce accounts used in the DMZ tier have short login sessions and my p4broker config is paired with Perforce protections to properly gate which users can access which code lines and what they can do with them. The p4broker offers command filtering and other advance features. Your SSH server can be configure the have an aggressive idle detection which will drop the port forward to your broker after a set amount of time.
No comments:
Post a Comment