Make SSH server to forward connection per userHow can I use environment variables in Nginx.confRedirect ssh...
Does multi-classing into Fighter give you heavy armor proficiency?
How to write cleanly even if my character uses expletive language?
Relationship between sampajanna definitions in SN 47.2 and SN 47.35
How to explain that I do not want to visit a country due to personal safety concern?
Describing a chess game in a novel
Bach's Toccata and Fugue in D minor breaks the "no parallel octaves" rule?
Is it true that good novels will automatically sell themselves on Amazon (and so on) and there is no need for one to waste time promoting?
Professor being mistaken for a grad student
Employee lack of ownership
Why does a Star of David appear at a rally with Francisco Franco?
Custom alignment for GeoMarkers
This word with a lot of past tenses
What is a ^ b and (a & b) << 1?
Can I use USB data pins as a power source?
English sentence unclear
Did Ender ever learn that he killed Stilson and/or Bonzo?
Book: Young man exiled to a penal colony, helps to lead revolution
Knife as defense against stray dogs
How could an airship be repaired midflight?
Why do passenger jet manufacturers design their planes with stall prevention systems?
Is honey really a supersaturated solution? Does heating to un-crystalize redissolve it or melt it?
Why do tuner card drivers fail to build after kernel update to 4.4.0-143-generic?
How do you talk to someone whose loved one is dying?
What did “the good wine” (τὸν καλὸν οἶνον) mean in John 2:10?
Make SSH server to forward connection per user
How can I use environment variables in Nginx.confRedirect ssh trafic for one user through another portssh: transparent redirect of incoming connections based on host- or usernamegit clone ssh syntax difference?Forward ssh connections to docker container by hostnameCan I make sshd forward connections to another port for a specific user?Dockerfile cloning from private gitlab with ssh and deploy keyGCP/GCE / Docker / GitLab - gitlab_shell_ssh_port - Connection timed outIssue with running a Forward Proxy Container and DNS Server Container on the same hostForward one SSH user login to a different SSH server
Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?
I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:
- A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.
- Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".
Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.
There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.
linux networking ssh git docker
bumped to the homepage by Community♦ 8 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?
I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:
- A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.
- Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".
Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.
There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.
linux networking ssh git docker
bumped to the homepage by Community♦ 8 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.
– Mircea Vutcovici
Jun 6 '16 at 22:11
Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.
– Mikz
Jun 6 '16 at 22:18
You could use a different IP for GitLab and have both SSH servers on port 22.
– Mircea Vutcovici
Jun 7 '16 at 2:37
Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.
– Mikz
Jun 7 '16 at 8:58
add a comment |
Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?
I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:
- A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.
- Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".
Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.
There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.
linux networking ssh git docker
Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?
I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:
- A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.
- Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".
Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.
There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.
linux networking ssh git docker
linux networking ssh git docker
edited May 23 '17 at 12:41
Community♦
1
1
asked Jun 6 '16 at 21:15
MikzMikz
1262
1262
bumped to the homepage by Community♦ 8 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 8 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.
– Mircea Vutcovici
Jun 6 '16 at 22:11
Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.
– Mikz
Jun 6 '16 at 22:18
You could use a different IP for GitLab and have both SSH servers on port 22.
– Mircea Vutcovici
Jun 7 '16 at 2:37
Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.
– Mikz
Jun 7 '16 at 8:58
add a comment |
Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.
– Mircea Vutcovici
Jun 6 '16 at 22:11
Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.
– Mikz
Jun 6 '16 at 22:18
You could use a different IP for GitLab and have both SSH servers on port 22.
– Mircea Vutcovici
Jun 7 '16 at 2:37
Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.
– Mikz
Jun 7 '16 at 8:58
Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.
– Mircea Vutcovici
Jun 6 '16 at 22:11
Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.
– Mircea Vutcovici
Jun 6 '16 at 22:11
Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.
– Mikz
Jun 6 '16 at 22:18
Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.
– Mikz
Jun 6 '16 at 22:18
You could use a different IP for GitLab and have both SSH servers on port 22.
– Mircea Vutcovici
Jun 7 '16 at 2:37
You could use a different IP for GitLab and have both SSH servers on port 22.
– Mircea Vutcovici
Jun 7 '16 at 2:37
Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.
– Mikz
Jun 7 '16 at 8:58
Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.
– Mikz
Jun 7 '16 at 8:58
add a comment |
1 Answer
1
active
oldest
votes
The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port
in authorized_keys.
Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID
and DNAT target.
I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)
– Mikz
Jun 6 '16 at 21:58
Basically you need something like...-t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP
– Mircea Vutcovici
Jun 6 '16 at 22:09
2
Thanks, I'll look into that! I'll definitely post some feedback
– Mikz
Jun 6 '16 at 22:25
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f782319%2fmake-ssh-server-to-forward-connection-per-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port
in authorized_keys.
Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID
and DNAT target.
I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)
– Mikz
Jun 6 '16 at 21:58
Basically you need something like...-t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP
– Mircea Vutcovici
Jun 6 '16 at 22:09
2
Thanks, I'll look into that! I'll definitely post some feedback
– Mikz
Jun 6 '16 at 22:25
add a comment |
The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port
in authorized_keys.
Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID
and DNAT target.
I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)
– Mikz
Jun 6 '16 at 21:58
Basically you need something like...-t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP
– Mircea Vutcovici
Jun 6 '16 at 22:09
2
Thanks, I'll look into that! I'll definitely post some feedback
– Mikz
Jun 6 '16 at 22:25
add a comment |
The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port
in authorized_keys.
Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID
and DNAT target.
The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port
in authorized_keys.
Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID
and DNAT target.
answered Jun 6 '16 at 21:33
Mircea VutcoviciMircea Vutcovici
13.2k33966
13.2k33966
I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)
– Mikz
Jun 6 '16 at 21:58
Basically you need something like...-t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP
– Mircea Vutcovici
Jun 6 '16 at 22:09
2
Thanks, I'll look into that! I'll definitely post some feedback
– Mikz
Jun 6 '16 at 22:25
add a comment |
I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)
– Mikz
Jun 6 '16 at 21:58
Basically you need something like...-t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP
– Mircea Vutcovici
Jun 6 '16 at 22:09
2
Thanks, I'll look into that! I'll definitely post some feedback
– Mikz
Jun 6 '16 at 22:25
I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)
– Mikz
Jun 6 '16 at 21:58
I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)
– Mikz
Jun 6 '16 at 21:58
Basically you need something like...
-t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP
– Mircea Vutcovici
Jun 6 '16 at 22:09
Basically you need something like...
-t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP
– Mircea Vutcovici
Jun 6 '16 at 22:09
2
2
Thanks, I'll look into that! I'll definitely post some feedback
– Mikz
Jun 6 '16 at 22:25
Thanks, I'll look into that! I'll definitely post some feedback
– Mikz
Jun 6 '16 at 22:25
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f782319%2fmake-ssh-server-to-forward-connection-per-user%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.
– Mircea Vutcovici
Jun 6 '16 at 22:11
Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.
– Mikz
Jun 6 '16 at 22:18
You could use a different IP for GitLab and have both SSH servers on port 22.
– Mircea Vutcovici
Jun 7 '16 at 2:37
Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.
– Mikz
Jun 7 '16 at 8:58