Ryfujk

Does multi-classing into Fighter give you heavy armor proficiency?

How to write cleanly even if my character uses expletive language?

Relationship between sampajanna definitions in SN 47.2 and SN 47.35

How to explain that I do not want to visit a country due to personal safety concern?

Describing a chess game in a novel

Bach's Toccata and Fugue in D minor breaks the "no parallel octaves" rule?

Is it true that good novels will automatically sell themselves on Amazon (and so on) and there is no need for one to waste time promoting?

Professor being mistaken for a grad student

Employee lack of ownership

Why does a Star of David appear at a rally with Francisco Franco?

Custom alignment for GeoMarkers

This word with a lot of past tenses

What is a ^ b and (a & b) << 1?

Can I use USB data pins as a power source?

English sentence unclear

Did Ender ever learn that he killed Stilson and/or Bonzo?

Book: Young man exiled to a penal colony, helps to lead revolution

Knife as defense against stray dogs

How could an airship be repaired midflight?

Why do passenger jet manufacturers design their planes with stall prevention systems?

Is honey really a supersaturated solution? Does heating to un-crystalize redissolve it or melt it?

Why do tuner card drivers fail to build after kernel update to 4.4.0-143-generic?

How do you talk to someone whose loved one is dying?

What did “the good wine” (τὸν καλὸν οἶνον) mean in John 2:10?

Make SSH server to forward connection per user

How can I use environment variables in Nginx.confRedirect ssh trafic for one user through another portssh: transparent redirect of incoming connections based on host- or usernamegit clone ssh syntax difference?Forward ssh connections to docker container by hostnameCan I make sshd forward connections to another port for a specific user?Dockerfile cloning from private gitlab with ssh and deploy keyGCP/GCE / Docker / GitLab - gitlab_shell_ssh_port - Connection timed outIssue with running a Forward Proxy Container and DNS Server Container on the same hostForward one SSH user login to a different SSH server

4

2

Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?

I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:

1. A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.


2. Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".

Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.

There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.

linux networking ssh git docker

share|improve this question

edited May 23 '17 at 12:41

Community♦

1

asked Jun 6 '16 at 21:15

MikzMikz

1262

bumped to the homepage by Community♦ 8 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.
  
  – Mircea Vutcovici
  Jun 6 '16 at 22:11
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.
  
  – Mikz
  Jun 6 '16 at 22:18
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You could use a different IP for GitLab and have both SSH servers on port 22.
  
  – Mircea Vutcovici
  Jun 7 '16 at 2:37
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.
  
  – Mikz
  Jun 7 '16 at 8:58
  

  
  
  
  

add a comment | 

4

2

Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?

I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:

1. A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.


2. Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".

Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.

There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.

linux networking ssh git docker

share|improve this question

edited May 23 '17 at 12:41

Community♦

1

asked Jun 6 '16 at 21:15

MikzMikz

1262

bumped to the homepage by Community♦ 8 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.
  
  – Mircea Vutcovici
  Jun 6 '16 at 22:11
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.
  
  – Mikz
  Jun 6 '16 at 22:18
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You could use a different IP for GitLab and have both SSH servers on port 22.
  
  – Mircea Vutcovici
  Jun 7 '16 at 2:37
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.
  
  – Mikz
  Jun 7 '16 at 8:58
  

  
  
  
  

add a comment | 

Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?

I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:

1. A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.


2. Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".

Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.

There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.

linux networking ssh git docker

share|improve this question

edited May 23 '17 at 12:41

Community♦

1

asked Jun 6 '16 at 21:15

MikzMikz

1262

share|improve this question

edited May 23 '17 at 12:41

Community♦

1

asked Jun 6 '16 at 21:15

MikzMikz

1262

share|improve this question

edited May 23 '17 at 12:41

Community♦

1

asked Jun 6 '16 at 21:15

MikzMikz

1262

edited May 23 '17 at 12:41

Community♦

1

edited May 23 '17 at 12:41

Community♦

1

asked Jun 6 '16 at 21:15

MikzMikz

1262

asked Jun 6 '16 at 21:15

MikzMikz

1262

1 Answer
1

active

oldest

votes

0

The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port in authorized_keys.

Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID and DNAT target.

share|improve this answer

answered Jun 6 '16 at 21:33

Mircea VutcoviciMircea Vutcovici

13.2k33966

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)
  
  – Mikz
  Jun 6 '16 at 21:58
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Basically you need something like... -t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP
  
  – Mircea Vutcovici
  Jun 6 '16 at 22:09
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Thanks, I'll look into that! I'll definitely post some feedback
  
  – Mikz
  Jun 6 '16 at 22:25
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f782319%2fmake-ssh-server-to-forward-connection-per-user%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port in authorized_keys.

Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID and DNAT target.

share|improve this answer

answered Jun 6 '16 at 21:33

Mircea VutcoviciMircea Vutcovici

13.2k33966

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)
  
  – Mikz
  Jun 6 '16 at 21:58
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Basically you need something like... -t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP
  
  – Mircea Vutcovici
  Jun 6 '16 at 22:09
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Thanks, I'll look into that! I'll definitely post some feedback
  
  – Mikz
  Jun 6 '16 at 22:25
  

  
  
  
  

add a comment | 

0

The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port in authorized_keys.

Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID and DNAT target.

share|improve this answer

answered Jun 6 '16 at 21:33

Mircea VutcoviciMircea Vutcovici

13.2k33966

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)
  
  – Mikz
  Jun 6 '16 at 21:58
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Basically you need something like... -t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP
  
  – Mircea Vutcovici
  Jun 6 '16 at 22:09
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Thanks, I'll look into that! I'll definitely post some feedback
  
  – Mikz
  Jun 6 '16 at 22:25
  

  
  
  
  

add a comment | 

The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port in authorized_keys.

Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID and DNAT target.

share|improve this answer

answered Jun 6 '16 at 21:33

Mircea VutcoviciMircea Vutcovici

13.2k33966

share|improve this answer

answered Jun 6 '16 at 21:33

Mircea VutcoviciMircea Vutcovici

13.2k33966

answered Jun 6 '16 at 21:33

Mircea VutcoviciMircea Vutcovici

13.2k33966

answered Jun 6 '16 at 21:33

Mircea VutcoviciMircea Vutcovici

13.2k33966