Optionally, any number of remotetunnel elements can be used todefine remote port forwarding over the SSH connection. If theremotetunnels parameter was also specified, both sets of tunnels willbe established.
sequential
The sequential element is a required parameter. It is a containerfor nested Tasks which are to be executed once the SSH connection isestablished and all local and/or remote tunnels established.
Examples
Connect to a remote machine using password authentication,forward the local cvs port to the remote host, and execute a cvscommand locally, which can use the tunnel.
<sshsession host="somehost" username="dude" password="yo" localtunnels="2401:localhost:2401" > <sequential> <cvs command="update ${cvs.parms} ${module}" cvsRoot="${cvs.root}" dest="${local.root}" failonerror="true" /> </sequential> </sshsession>
Do the same thing using nested localtunnel element.
<sshsession host="somehost" username="dude" password="yo" > <localtunnel lport="2401" rhost="localhost" rport="2401"/> <sequential> <cvs command="update ${cvs.parms} ${module}" cvsRoot="${cvs.root}" dest="${local.root}" failonerror="true" /> </sequential> </sshsession>
Connect to a remote machine using key authentication, forwardport 1080 to port 80 of an intranet server which is not directlyaccessible, then run a get task using that tunnel.
<sshsession host="somehost" username="dude" keyfile="${user.home}/.ssh/id_dsa" passphrase="yo its a secret"/> <LocalTunnel lport="1080" rhost="intranet.mycomp.com" rport="80"/> <sequential> <get src="http://localhost:1080/somefile" dest="temp/somefile"/> </sequential> </sshsession>
Security Note: Hard coding passwords orpassphrases and/or usernames in sshsession task can be a serioussecurity hole. Consider using variable substitution and include thepassword on the command line. For example:
<sshsession host="somehost" username="${username}" password="${password}" localtunnels="2401:localhost:2401"> <sequential> <sometask/> </sequential> </sshsession>
Invoking ant with the following command line: ant -Dusername=me -Dpassword=mypassword target1 target2
Is slightly better, but the username/password is exposed to all userson an Unix system (via the ps command). The best approach is to usethe<input>
task and/or retrieve the password from a (secured).properties file.