5

Im trying to set up ssh/git access through a ssh gate but googleing has come up empty. Basically I want any connection to my ssh gate from the user git to be forwarded to my ssh server so that pushes and pulls can me made remotely. However if any other user connects I want them to be logged in as usual.

internet--(git)-->gate--(git)--> git-server

internet--(user)-->gate

Any help or advice would be much appreciated.

One way to do this on the client side is to add the following to your .ssh/config:

Host git.life-hack.org
    HostName          git.life-hack.org
    ProxyCommand      ssh darkclown@www.life-hack.org nc %h %p
    User              git

But I was hoping that there would be a way to do this server side.

Johan
  • 51
  • 3

1 Answers1

1

I assume you're talking about Linux and OpenSSH. Please advise if this is not the case.

I understand that the git-server isn't directly reachable from the internet. I don't think you can do what you're proposing automatically just using SSH.

Let's assume gate is on 2.2.2.2 (public IP) and git-server is at 10.10.10.10 (RFC1918)

Depending on what exacly you're trying to achieve and what the constraints are, you could:

1) have the user connecting to the git-server forward a port first:

ssh -N -L2222:10.10.10.10:22 user@2.2.2.2

and then they could log in as:

ssh -p2222 git@localhost

2) on the gate, you could forward connections made to 2.2.2.2:2222 to 10.10.10.10:22 so your user would log in as: ssh -p2222 git@2.2.2.2

This would require a few commands executed on the gate:

# enable forwarding
echo -n 1 > /proc/sys/net/ipv4/ip_forward
# DNAT packets destined for 2.2.2.2:2222 to 10.10.10.10:22
iptables -A PREROUTING -d 2.2.2.2 -p tcp --dport 2222 -j DNAT --to-destination 10.10.10.10:22
# allow responses from 10.10.10.10 to get through
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow forwarding connections to 10.10.10.10:22
iptables -A FORWARD -p tcp --dport 22 -d 10.10.10.10 -j ACCEPT

There's nothing specific to do on the git-server.

Marcin Kaminski
  • 243
  • 2
  • 10
  • Thanks for the input, I have landed on using the method I edited in at the top since it seems to be impossible to do this server side. Your method is quite similar and it actually reminded me of this method so thank you very much :) The reason Id prefer it server side is so laptops that are used both from local and external wouldnt run into problems. – Johan Oct 23 '12 at 15:54