6

Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?

I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys. So the setup that I'd like to create is either of the following:

  1. A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.
  2. Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".

Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.

There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.

Community
  • 1
Mikz
  • 171
  • 2
  • Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration. – Mircea Vutcovici Jun 06 '16 at 22:11
  • Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that. – Mikz Jun 06 '16 at 22:18
  • You could use a different IP for GitLab and have both SSH servers on port 22. – Mircea Vutcovici Jun 07 '16 at 02:37
  • Yep, I am aware of this, but unfortunately I've got single IP for the whole machine. – Mikz Jun 07 '16 at 08:58

1 Answers1

2

The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port in authorized_keys.

Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID and DNAT target.

Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83
  • I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: http://linuxpoison.blogspot.com/2010/11/how-to-limit-network-access-by-user.html states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case) – Mikz Jun 06 '16 at 21:58
  • Basically you need something like... `-t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP` – Mircea Vutcovici Jun 06 '16 at 22:09
  • 2
    Thanks, I'll look into that! I'll definitely post some feedback – Mikz Jun 06 '16 at 22:25