SSH traffic redirect for LXC containers

Question

I use LXC containers for ssh hosting and I would like to redirect SSH/SFTP traffic (using port 22) to the container's private IP address but on a user/IP basis. That is - one source port, many destinations.

1. ssh ahes@server.com
2. we have user 'ahes', private IP for this user container is 10.10.66.66
3. redirect traffic to 10.10.66.66:22

It is not possible for me to assign public IP address to each container.

Possible solutions I figured out:

1. Easy one - forget about global port 22 and use port matching particular user. For example ahes would have port 6666. Then redirect traffic with simple iptables rule: server.com:6666 => 10.10.66.66:22. Disadvantage is that in some places ports other than 22/80/443 are blocked.

2. use ForceCommand directive in sshd on parent server:

Match Group users
   ForceCommand /usr/local/bin/ssh.sh

ssh.sh script:

#!/bin/bash
# ...some logic here to find user IP address
# run ssh
exec ssh $USER@$IP $SSH_ORIGINAL_COMMAND

This solution is almost good but I didn't find a way to make sftp working with this configuration.

The other consideration is that I cannot dig into protocol because encryption is done before any data identifying user is sent. Futhermore I don't really have skills to hack sshd source code and keeping parent server with original packages is very desirable for security reasons.

I also found libpam-nufw package used for authentication on connection level (iptables) but I think it is for other purposes.

I would appreciate any clues. Thank you.

Answer 1

Set an HTTP proxy listening at port 443 and enable forwarding connections to port 22 at the internal LXC IPs. Then, when using ssh/sftp clients, use the ProxyConnect option combined with netcat/socat/proxytunnel/whatever.

Another common solution is to set up an SSH gateway (for instance, a dedicated LXC on the same box). Users connect there first and then to their LXC instance.