3

I want to forward port 22 (ssh) to port 7999 (where bitbucket is running) only for user git, and use the normal sshd for every other user. I looked at HAProxy for the ssh forwarding, but that doesn't let me differentiate per user.

How do I configure this on the server? I don't want each individual client to configure a ProxyCommand in their .ssh/config.

Amedee Van Gasse
  • 328
  • 3
  • 18

2 Answers2

1

You can try something along this line (untested):

In /etc/ssh/sshd_config (or similar), add something like this: 

Match user git 
    ForceCommand ssh git@localhost -p 7999

Don't forget to reload/restart sshd. This should "tunnel" the connection to Bitbucket on port 7999. Alternatively, a netcat might also work (ForceCommand nc localhost 7999).

As I said, this is untested but it works for me to redirect an ssh connection to another host altogether.

Sven
  • 98,649
  • 14
  • 180
  • 226
1

I don't think you can do this because the user is not known when the connection is initially created which is when you would need to to the redirect.

Did you know that anything that that can go in the per-user ~/.ssh/config can be put in the /etc/ssh/ssh_config file and is globally applied ? Perhaps you can use that to configure a ProxyCommand globally.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • I've got the impression that the only two things I can differentiate on, are interface and port number. Host name is not possible because that is already resolved to IP address at the start of ssh, and username is like you write. I know about `/etc/ssh/ssh_config` but the situation is that I'm herding about a dozen developers, and I do this for their convenience. Previously gitlab was on that server, and that hands off non-git users to regular sshd; bitbucket doesn't do that. – Amedee Van Gasse Nov 06 '16 at 12:51
  • Then the best thing to do is educate the developers (which never hurts) on the use of a personal ~/.ssh/config file. – user9517 Nov 06 '16 at 13:13