2

Every user has a dedicated machine, but is not exposed to the outside world. The 'gateway' is the only system that is exposed.

The user has no idea of this setup. He just does ssh username@gateway which should be equivalent to ssh username@username.internal.

Can we configure a gateway sshd with which we can achieve this? Each machine has a single user. So, there can't be any confusion in determining the upstream server.

svr
  • 23
  • 2

1 Answers1

1

Setting up

Match group proxyUsers
  ForceCommand /bin/connect_to_user_machine

and having /bin/connect_to_user_machine

#!/bin/bash
ssh $USER@$USER.internal $SSH_ORIGINAL_COMMAND

will do the job

Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • Can I also pass the arguments given to `ssh user@gateway` to ssh `user@user.internal`? – svr May 19 '16 at 11:45
  • It would need some modification. See edited answer. – Jakuje May 19 '16 at 11:55
  • Is it possible to not have the user accounts on the gateway machine? i.e, I would like the upstream ssh server to do the auth (the ForceCommand would be unconditional). – svr May 19 '16 at 13:42
  • I don't think so. Username is send as part of the authentication. You don't know what username is the user trying to use before. – Jakuje May 19 '16 at 14:16