git: pushing through socks5 proxy with ProxyCommand+ncat fails
socks5 proxy runs as follows
ss-local ... -l 1080 ...
pushing w/ proxychains suceeds
$ proxychains git push
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/libproxychains4.so
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain ... 127.0.0.1:1080 ... github.com:22 ... OK
Warning: the RSA host key for 'github.com' differs from the key for the IP address '224.0.0.1'
Offending key for IP in /home/darren/.ssh/known_hosts:40
Matching host key in /home/darren/.ssh/known_hosts:2
Everything up-to-date
pushing w/ ProxyCommand+ncat fails
$ env GIT_SSH_COMMAND="ssh -vvv -o ProxyCommand='ncat -vvvv --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p'" /usr/bin/git push
OpenSSH_8.4p1, OpenSSL 1.1.1i 8 Dec 2020
debug1: Reading configuration data /home/darren/.ssh/config
debug1: /home/darren/.ssh/config line 4: Applying options for github.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/darren/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/darren/.ssh/known_hosts2'
debug1: Executing proxy command: exec ncat -vvvv --proxy-type socks5 --proxy 127.0.0.1:1080 github.com 22
debug1: identity file /home/darren/.ssh/id_rsa type 0
debug1: identity file /home/darren/.ssh/id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
Ncat: Version 7.91 ( https://nmap.org/ncat )
libnsock nsock_set_loglevel(): Set log level to DEBUG
NCAT DEBUG: Using system default trusted CA certificates and those in /usr/share/ncat/ca-bundle.crt.
Ncat: Connected to proxy 127.0.0.1:1080
Ncat: No authentication needed.
Ncat: Host github.com will be resolved by the proxy.
Ncat: connection succeeded.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock nsock_iod_new2(): nsock_iod_new (IOD #2)
libnsock nsock_loop(): nsock_loop() started (no timeout). 0 events pending
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #1)
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #2)
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Info
$ uname -r
5.10.4-arch2-1
$ pacman -Qii proxychains-ng | grep Version
Version : 4.14-2
$ git --version
git version 2.30.0
$ ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1i 8 Dec 2020
$ ncat --version
Ncat: Version 7.91 ( https://nmap.org/ncat )
~/.ssh/config
...
Host github.com
User git
IdentityFile ~/.ssh/id_rsa
StrictHostKeyChecking no
...
/etc/proxychains.conf
strict_chain
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks5 127.0.0.1 1080
As it said in comments, it's a bug in ncat
. It's fixed in master
, but current version of macOS's homebrew still contains an old version.
For me compiling master
from the nmap repo (and using the produced binary) fixed the issue.
UPD. Nmap (and ncat) just got updated to 7.92 in Homebrew, it works fine, and there is no more need to compile it.
❯ ncat --version
Ncat: Version 7.92 ( https://nmap.org/ncat )