0

Good evening,
I'm currently trying to get my hands a bit more deeper into linux then im familiar with.

Lets get straight to my problem:
First, lets talk about my setup.
I have 3 servers, with each having a public IP.
Each server is part of a VLAN.
Server #1 (vlan 10.0.0.2) is not protected by a firewall.
Server #2 (vlan 10.0.0.3) and Server #3 (vlan 10.0.0.4) are completely blocked of from the internet and can only be accessed from the vlan.
Server #2 runs a KeyCloak container. However, this is irrelevant to the problem.
Server #3 should serve as my git server.
Normally I would just create a git user, link the authorized_keys file with the one of my GitLab container. Each public key would be prefixed with a command, which would then pass the connection to the ssh deamon inside the container.
But since Server #3 is not publicly accessible, I need to accept the incoming ssh connection on Server #1.
I created a git user and started to think how I can overcome this problem.

I thought about two ways I could handle it.

  1. Allow the git user to be accessed without a password and open a connection to git@10.0.0.4 (does this work? Does the client ssh-agent work in this case? Could an attacker get out of the internal ssh connection and do stuff on Server #1?)
  2. Server #3 connects regularly to Server #1 and updates the authorized_keys file (then I would have to write a second script at the command location, which would then open the connection to Server #3. This would be slower, because the user has to wait till Server #3 syncs with Server #1)
Nick Strohm
  • 1
  • 3. Make server 3 publicly accessible. – Michael Hampton Jun 28 '21 at 00:01
  • @MichaelHampton that is not helpful at all and not what I was asking about – Nick Strohm Jun 28 '21 at 00:09
  • It is precisely what you were asking about and it is the simplest and most reliable solution. If you do not wish to consider it, you should explain in detail why you do not wish to do it. – Michael Hampton Jun 28 '21 at 00:21
  • @MichaelHampton I explained my networking setup and assumed that it would be clear that I want Server #1 to be considered as a gateway to every other server and it should stay like that. My bad for not explicitly stating my intention. This is basically a requirement for the whole setup. This means: if you're inside the network, you are able to do whatever you want. If you're not, you have to access it via the gateway, whether by using predefined "routes" (for example ssh user which automatically connects to the git server etc) or by connecting via ssh. – Nick Strohm Jun 28 '21 at 00:46

0 Answers0