On Tue, Mar 16, 2021 at 06:53:24PM +0000, Lamborn, Peter Craig wrote: > We have some machines behind firewalls and gateways that cannot access > git repos directly. We have been using GIT_SSH and mirror to push and > pull git request through a less restricted machine. This has been > working for a while, specifically both git 2.24.1 and git 2.28 can > handle the method we have been doing. > [...] > workstation$ cat ssh-hop.sh > #!/bin/bash > > MACHINE_REGEXP="<...>" > > if [[ $1 =~ $MACHINE_REGEXP ]]; then > > exec ssh <gateway> ssh "$@" > > else > exec ssh "$@" > fi I suspect the problem is that your script blindly matches "$1". Doing so makes the assumption that Git will never pass any other options to ssh. Traditionally Git _usually_ wouldn't do so (unless it needed specific options like "-p", "-4/-6", etc). But in Git's newer "v2" protocol, we have to pass an environment variable across the wire, which requires using "-o". E.g.: [using v2.28] $ GIT_TRACE2_BRIEF=1 GIT_TRACE2=1 git ls-remote git@xxxxxxxxxx:nosuch/repo 2>&1 | grep child_start child_start[0] ssh git@xxxxxxxxxx 'git-upload-pack '\''nosuch/repo'\''' [using v2.29] $ GIT_TRACE2_BRIEF=1 GIT_TRACE2=1 git ls-remote git@xxxxxxxxxx:nosuch/repo 2>&1 | grep child_start child_start[0] ssh -o SendEnv=GIT_PROTOCOL git@xxxxxxxxxx 'git-upload-pack '\''nosuch/repo'\''' > When you try the same thing with git 2.30.1, the "git push" commands > still succeed. But "git pull" returns this: Using the new protocol became the default in v2.29. It also is only used for fetching, not pushing. So that explains why it's a problem in v2.30.1, and also why "git push" isn't affected. > ssh: connect to host <destination machine> port 22: Operation timed out > fatal: Could not read from remote repository. This part is presumably just what happens when the "hop" behavior of your script doesn't kick in. A straight "ssh" is run under the hood, but your firewall probably times it out. > Does git 2.30.1 change something about mirrors and/or GIT_SSH that > would cause git pulls to fail? Do we need to adjust our current > process? Adjusting your script to look for the hostname in the second-to-last argument would probably be more robust. But as Andreas noted, using ssh's ProxyJump feature would be better still. -Peff
