git-annex/doc/tips/Decentralized_repository_behind_a_Firewall.mdwn

If you're anything like me¹, you have a copy of your annex on a computer running at home², set up so you can access it from anywhere like this:

    ssh myhome.no-ip.org

This is totally great! Except, there is no way for your home computer to pull your changes, because there is no *on-the-go.no-ip.org*. You can get clunky and use a *bare git repository and git push*, but there is a better way.

First, install *openssh-server* on your *on-the-go* computer

    sudo apt-get install openssh-server # Adjust to your flavor of unix

Then, log into your *home* computer, with *port forwarding*:

    ssh me@myhome.no-ip.org -R 2201:localhost:22

Your *home* computer can now ssh into your *on-the-go* computer, as long as you keep the above shell running.

You can now add your *on-the-go* computer as a remote on your *home* computer. Use the port forwarding shell you just connected with the command above, if you like. 

    ssh-keygen -t rsa
    ssh-copy-id "me@localhost -p 2201"
    cd ~/annex
    git remote add on-the-go ssh://me@localhost:2201/home/myuser/annex

Now you can run normal annex operations, as long as the port forwarding shell is running³.

    git annex sync
    git annex get on-the-go some/big/file
    git annex info

You can add more computers by repeating with a different port, e.g. 2202 or 2203 (or any other).

If you're security paranoid (like me), read on. If you're not, that's it! Thanks for reading!

---
Paranoid Area

Note you're granting passwordless access to your on-the-go computer to your home computer. I believe that's all right, as long as:

* Your home computer is really in your home, and not at a friend's house or some datacenter
* Your home computer can be accessed only by ssh, and not HTTP or Samba or NTP or (shoot me now!) FTP
* Only you (and perhaps trustworthy family) have access to your home computer
* You have reasonably strong passwords or key-only logins on both your home and on-the-go computers.
* You regularly install security updates on both computers (sudo apt-get update && sudo apt-get upgrade)

In any case, the setup is much, much, much more secure than Dropbox. With Dropbox, you have exactly the same setup, but:

* Your data is stored in some datacenter. It's supposed to be encrypted. It might not be.
* Lot's of people have routine access to your files, and plausible reason to. Bored employees might regularly be doing some 'maintenance work' involving your pictures.
* The dropbox software can do anything it likes on your computer, and it's closed source so you don't know if it does. A disgruntled employee could put a trojan into it.
* Dropbox might have a backdoor for employee access to any file on your computer. This might be done with the best of intentions, but a mal-intentioned or careless employee might still erase things or send sensitive files from your computer by email.
* A truly huge amount of eyes connected to incredibly smart brains have looked at openssh and found it secure. Everybody trusts openssh. With dropbox, there is, well, dropbox. Whoever that is.

-----

¹ Me=Carlo, not Joey. I'm pretty sure doing what I wrote here is a good idea, but in case it turns out to be catastrophically dumb, it's my fault, not his.

² My always-on computer at home is a raspberry pi with a 32GB USB stick. Best self-hosted dropbox you could imagine.

³ You can just forward the port, but not open a shell, by adding the -N command. This could be useful for connecting on startup, e.g. in /etc/rc.local. I prefer to open the shell to forward the ports, maybe use it, and close it to stop it.
2012-11-30 14:54:10 +00:00			`If you're anything like me¹, you have a copy of your annex on a computer running at home², set up so you can access it from anywhere like this:`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
2012-11-30 14:41:15 +00:00			`ssh myhome.no-ip.org`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
2012-11-30 14:49:02 +00:00			`This is totally great! Except, there is no way for your home computer to pull your changes, because there is no on-the-go.no-ip.org. You can get clunky and use a bare git repository and git push, but there is a better way.`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
2012-11-30 14:49:02 +00:00			`First, install openssh-server on your on-the-go computer`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
2012-11-30 14:57:25 +00:00			`sudo apt-get install openssh-server # Adjust to your flavor of unix`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
2012-11-30 14:49:02 +00:00			`Then, log into your home computer, with port forwarding:`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
Fixed some comm commandline typos 2013-08-14 05:24:33 +00:00			`ssh me@myhome.no-ip.org -R 2201:localhost:22`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
2012-11-30 14:49:02 +00:00			`Your home computer can now ssh into your on-the-go computer, as long as you keep the above shell running.`

			`You can now add your on-the-go computer as a remote on your home computer. Use the port forwarding shell you just connected with the command above, if you like.`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
2012-11-30 14:41:15 +00:00			`ssh-keygen -t rsa`
Fixed some comm commandline typos 2013-08-14 05:24:33 +00:00			`ssh-copy-id "me@localhost -p 2201"`
2012-11-30 14:41:15 +00:00			`cd ~/annex`
Another typo 2013-08-14 05:27:41 +00:00			`git remote add on-the-go ssh://me@localhost:2201/home/myuser/annex`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
2012-11-30 14:54:10 +00:00			`Now you can run normal annex operations, as long as the port forwarding shell is running³.`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
2012-11-30 14:41:15 +00:00			`git annex sync`
			`git annex get on-the-go some/big/file`
rename status to info, and update docs 2013-11-07 16:45:59 +00:00			`git annex info`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00
			`You can add more computers by repeating with a different port, e.g. 2202 or 2203 (or any other).`

			`If you're security paranoid (like me), read on. If you're not, that's it! Thanks for reading!`

2012-11-30 14:49:53 +00:00			`---`
2012-11-30 14:41:15 +00:00			`Paranoid Area`
2012-11-30 14:41:58 +00:00
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00			`Note you're granting passwordless access to your on-the-go computer to your home computer. I believe that's all right, as long as:`

			`* Your home computer is really in your home, and not at a friend's house or some datacenter`
			`* Your home computer can be accessed only by ssh, and not HTTP or Samba or NTP or (shoot me now!) FTP`
			`* Only you (and perhaps trustworthy family) have access to your home computer`
			`* You have reasonably strong passwords or key-only logins on both your home and on-the-go computers.`
			`* You regularly install security updates on both computers (sudo apt-get update && sudo apt-get upgrade)`

			`In any case, the setup is much, much, much more secure than Dropbox. With Dropbox, you have exactly the same setup, but:`

			`* Your data is stored in some datacenter. It's supposed to be encrypted. It might not be.`
			`* Lot's of people have routine access to your files, and plausible reason to. Bored employees might regularly be doing some 'maintenance work' involving your pictures.`
2012-11-30 15:02:16 +00:00			`* The dropbox software can do anything it likes on your computer, and it's closed source so you don't know if it does. A disgruntled employee could put a trojan into it.`
			`* Dropbox might have a backdoor for employee access to any file on your computer. This might be done with the best of intentions, but a mal-intentioned or careless employee might still erase things or send sensitive files from your computer by email.`
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00			`* A truly huge amount of eyes connected to incredibly smart brains have looked at openssh and found it secure. Everybody trusts openssh. With dropbox, there is, well, dropbox. Whoever that is.`
2012-11-30 15:02:16 +00:00
Use case for two-way sync using your own metal 2012-11-30 14:38:42 +00:00			`-----`

2012-11-30 14:55:40 +00:00			`¹ Me=Carlo, not Joey. I'm pretty sure doing what I wrote here is a good idea, but in case it turns out to be catastrophically dumb, it's my fault, not his.`
2012-11-30 14:51:35 +00:00
2012-11-30 14:54:10 +00:00			`² My always-on computer at home is a raspberry pi with a 32GB USB stick. Best self-hosted dropbox you could imagine.`

			`³ You can just forward the port, but not open a shell, by adding the -N command. This could be useful for connecting on startup, e.g. in /etc/rc.local. I prefer to open the shell to forward the ports, maybe use it, and close it to stop it.`