How do I use GitHub through harsh proxies?

Question

Given the following constraints, how can I use GitHub from Windows and Unix?

• All access to the internet is restricted to a proxy
• The proxy only allows connections out on port 80 and 443
• CONNECT method is only enabled for 443
• Proxy Authentication is required (NTLM or Basic)

Answer 1

See a “Using Github Through Draconian Proxies (Windows And Unix)” by Jeff Tchang (formerly available from another location), which includes instructions for both Windows and Unix platforms, summarized below.

Unix

1. Download Git.
2. Download and install corkscrew.

3. Edit or create the file ~/.ssh/config and put the following:

   ProxyCommand /usr/bin/corkscrew proxy.example.com 443 %h %p ~/.ssh/myauth
   
   Host github.com
   User git
   Port 22
   Hostname github.com
   IdentityFile "/media/truecrypt1/Keys/GitHubKey.private"
   TCPKeepAlive yes
   IdentitiesOnly yes
   
   Host ssh.github.com
   User git
   Port 443
   Hostname ssh.github.com
   IdentityFile "/media/truecrypt1/Keys/GitHubKey.private"
   TCPKeepAlive yes
   IdentitiesOnly yes
   

4. If everything is setup correctly you should be able to run ssh github.com and see

   Hi user! You’ve successfully authenticated, but GitHub does not provide shell access.
   Connection to github.com closed.

   If this doesn’t work you can run ssh ssh.github.com and get the exact same thing. If the first command didn’t work it means you are using a proxy that blocks CONNECT on port 22. Almost no proxies block CONNECT on port 443 because you need that for SSL.

Windows

1. Download msysgit. Some settings:
   • “Run Git from the Windows Command Prompt”
   • “Use OpenSSH” (this one is very important)
   • Pick your line endings
2. Download connect.c. This tool deserves its own post mostly because of its utter simplicity. It mirrors the open source tool corkscrew and is used for tunneling through proxies. Yes the tool’s name is really called “connect.c.” For Windows users, a pre-compiled binary is available. I put my connect.exe in C:\Windows\connect.exe.
3. Decide whether you like to use the Windows cmd.exe to do stuff or the Cygwin style shell. Or both.

4. Set up the Cygwin Git bash shell.

   For the Cygwin style shell start up the Git icon and edit the file ~/.ssh/config and make sure the file has no extension. Put the following in that file, and note how the paths are specified.

   ProxyCommand /c/windows/connect.exe -H [email protected]:443 %h %p
   
   Host github.com
   User git
   Port 22
   Hostname github.com
   IdentityFile "/c/Keys/GitHubKey.private"
   TCPKeepAlive yes
   IdentitiesOnly yes
   
   Host ssh.github.com
   User git
   Port 443
   Hostname ssh.github.com
   IdentityFile "/c/Keys/GitHubKey.private"
   TCPKeepAlive yes
   IdentitiesOnly yes
   

5. Set up the Windows cmd.exe shell.

   Suppose you don’t like the Git Bash shell. You prefer the cmd.exe interpreter.

   • Go to your config file at C:\Documents and Settings\.ssh\config
   • Make a copy of it or make a new one. I called mine config-windows

   Put the following in the file, again paying careful attention to path separators and styles.

   ProxyCommand C:/Windows/connect.exe -H [email protected]:443 %h %p
   
   Host github.com
   User git
   Port 22
   Hostname github.com
   IdentityFile "C:\Keys\GitHubKey.private"
   TCPKeepAlive yes
   IdentitiesOnly yes
   
   Host ssh.github.com
   User git
   Port 443
   Hostname ssh.github.com
   IdentityFile "C:\Keys\GitHubKey.private"
   TCPKeepAlive yes
   IdentitiesOnly yes
   

For full details, see the full blog post.

Answer 2

[Since my addition to the first answer given above did not get approved within four days, I put it here.]

Note that corkscrew and connect, as well as the standard Unix command nc only support basic authentication (which insecurely transmits the password).
tunnel-auth version 0.04 in addition supports digest authentication.

In case your proxy requires NTLM authentication, all these commands may be combined very nicely with cntlm as follows:

Choose a local port (e.g, 8080 as in the examples below) on which cntlm will listen (performing the user authentication with the proxy and forwarding any further packages to/from the proxy), set the port etc. (e.g., in /etc/cntlm.conf), and use instead of the ProxyCommand given above (with the respective port number inserted):

ProxyCommand corkscrew 127.0.0.1 8080 %h %p

or

ProxyCommand connect -H 127.0.0.1:8080 %h %p

or

ProxyCommand nc -X connect -x 127.0.0.1:8080 %h %p

or

ProxyCommand tunnel-auth -p 127.0.0.1:8080 -r %h:%p

Answer 3

My scenario was a little different to Jeff Tchang's (but based on his post) but might be helpful here.

All of our workplace/corporate internet access is via a non-authenticating proxy. I was able to clone from but not push to github: running

git push -u origin master

would return

ssh: connect to host github.com port 22: Operation timed out
fatal: The remote end hung up unexpectedly

Based on http://returnbooleantrue.blogspot.com/2009/06/using-github-through-draconian-proxies.html and http://meinit.nl/ssh-through-a-proxy-from-your-apple-mac-os-x and http://www.mtu.net/~engstrom/ssh-proxy.php I was able to download/install corkscrew and add the following to my ~/.ssh/config:

Host github.com
  User git
  Port 22
  Hostname github.com
  TCPKeepAlive yes
  IdentitiesOnly yes
  ProxyCommand /usr/local/bin/corkscrew proxy.<my-workplace>.com 8080 %h %p 

Some points to note:

• I use my workplace/corporate private key also with GitHub: if you don't you will need to add an "IdentityFile" line

• Unlike with Jeff Tchang (and thanks to mtu.net) I did not need to have the "~/.ssh/myauth" at the end of the ProxyCommand line

• I did not need to set up a ssh.github.com Host section.

Hope these help.