1

We are looking to configure a 'transparent' SSH gateway that passes authentication on to an upstream SSH server based upon the username in the SSH request. All users will be using public key authentication, no passwords. We'd like for the applicable public keys to be stored on the clients upstream servers only, not the gateway; the gateway simply proxies the connection based upon the username. Can this be done with an SSHD configuration? Or even HaProxy? Can the public key lookup location in the SSHD configuration be configured to check a remote server - e.g. a remote public-key server

A diagram of what we're looking for:

Transparent SSH Gateway w/ Remote Public-key Server

hermetik
  • 73
  • 1
  • 4
  • 1
    *the gateway simply proxies the connection based upon the username* seems impossible -- the username is not known until ssh negotiation begins, but you are proposing ssh negotiation to start after the username has been identified. I also have an intuitive sense that you are trying to do something the hard way. With stock, standard openssl, if I have a valid key to a bastion, a key to a target host behind it, and correct local config, I can simply type "ssh target-hostname" on my local machine and access the target via the bastion... transparently, from my perspective. – Michael - sqlbot Feb 11 '18 at 19:40
  • our company uses something similar for the ssh proxy (just relaying the connections, not storing any key etc.), but we are doing it with hardware (bluecoat proxies/load balancers and mcafee proxies), i suppose you could surely do it with ip forwarding only or simple proxies or software like securetransport. – olivierg Feb 11 '18 at 21:41

0 Answers0