Friday, February 17, 2012

Acess Intranet without VPN

Sometimes I need access the Intranet of company, however I don't like to create VPN connection. The connection is slow, waste time to create the connection and have to change password due to security policy.

My workstation is Linux, which has a lot of utility tools to help me access Intranet at home without VPN.

Firstly I set up a ssh server on my personal computer. It's quite easy if you are using Linux, for Windows I installed Copssh.
Then register a free domain name and configure it in my router. And let router forward port 22(or any port you wan to use) to my personal computer.
In my working Linux machine, create a ssh tunnel to my personal computer. Must use the public/private key for authenticating. For example,

It means remote server can access my workstation's port 22 via accessing its port 1002 after the ssh tunnel is created successfully. Above command line also forwards the ports 5900 and 6500. The default VNC session will listen the port 5900.
But it only works when my personal computer is running. And the connection can't be reconnected after it fails once.
The graceful solution is installing 'autossh' in my Linux, which is an utility to retry the ssh connection with an interval if it's disconnected or failed.

 Then create a script and running it when OS is booted. The script will be executed by root user, so we need configure it ran by the normal user.

After my personal computer is booted a while(the default interval of autossh is 300 seconds), I can use localhost:10002 to login my workstation, localhost:5900 to access my VNC session. Of course you can use 'froxyproxy' of Firefox via a localport to access web page of Intranet.

Wednesday, February 15, 2012

How to reuse the existing OpenID accounts after the host name of Gerrit server is changed

An internal Gerrit server was moved, so the hostname of server is changed. However we are using OpenID for user control, the OpenID provider(such as Google account) will generate a new token for the new server(hostname changing will impact the identity token of Google account) when we login Gerrit with same OpenID account. Gerrit will create a new internal account by default even though my OpenID account has existed in the system and has a lot of activities.

The solution is updating the 'ACCOUNT_EXTERNAL_IDS' table of Gerrit via gsql. Setting the 'ACCOUNT_ID' to your existing account_id for the new record whose 'EXTERNAL_ID' is the new token gotten from Google.

update ACCOUNT_EXTERNAL_IDS set ACCOUNT_ID='1000001' where EXTERNAL_ID='https://www.google.com/accounts/o8/id?id=xxxxxxxxxx';

Then search the documentation of Gerrit, I find a configuration property looks like supporting such a migration for OpenID authentication.
auth.allowGoogleAccountUpgrade
Allows Google Account users to automatically update their Gerrit account when/if their Google Account OpenID identity token changes. Identity tokens can change if the server changes hostnames, or for other reasons known only to Google. The upgrade path works by matching users by email address if the identity is not present, and then changing the identity.
This setting also permits old Gerrit 1.x users to seamlessly upgrade from Google Accounts on Google App Engine to OpenID authentication.
Having this enabled incurs an extra database query when Google Account users register with the Gerrit server.
By default, unset/false.