Make SSH server to forward connection per userHow can I use environment variables in Nginx.confRedirect ssh...

Does multi-classing into Fighter give you heavy armor proficiency?

How to write cleanly even if my character uses expletive language?

Relationship between sampajanna definitions in SN 47.2 and SN 47.35

How to explain that I do not want to visit a country due to personal safety concern?

Describing a chess game in a novel

Bach's Toccata and Fugue in D minor breaks the "no parallel octaves" rule?

Is it true that good novels will automatically sell themselves on Amazon (and so on) and there is no need for one to waste time promoting?

Professor being mistaken for a grad student

Employee lack of ownership

Why does a Star of David appear at a rally with Francisco Franco?

Custom alignment for GeoMarkers

This word with a lot of past tenses

What is a ^ b and (a & b) << 1?

Can I use USB data pins as a power source?

English sentence unclear

Did Ender ever learn that he killed Stilson and/or Bonzo?

Book: Young man exiled to a penal colony, helps to lead revolution

Knife as defense against stray dogs

How could an airship be repaired midflight?

Why do passenger jet manufacturers design their planes with stall prevention systems?

Is honey really a supersaturated solution? Does heating to un-crystalize redissolve it or melt it?

Why do tuner card drivers fail to build after kernel update to 4.4.0-143-generic?

How do you talk to someone whose loved one is dying?

What did “the good wine” (τὸν καλὸν οἶνον) mean in John 2:10?



Make SSH server to forward connection per user


How can I use environment variables in Nginx.confRedirect ssh trafic for one user through another portssh: transparent redirect of incoming connections based on host- or usernamegit clone ssh syntax difference?Forward ssh connections to docker container by hostnameCan I make sshd forward connections to another port for a specific user?Dockerfile cloning from private gitlab with ssh and deploy keyGCP/GCE / Docker / GitLab - gitlab_shell_ssh_port - Connection timed outIssue with running a Forward Proxy Container and DNS Server Container on the same hostForward one SSH user login to a different SSH server













4















Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?



I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:




  1. A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.

  2. Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".


Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.



There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.










share|improve this question
















bumped to the homepage by Community 8 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.

    – Mircea Vutcovici
    Jun 6 '16 at 22:11











  • Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.

    – Mikz
    Jun 6 '16 at 22:18











  • You could use a different IP for GitLab and have both SSH servers on port 22.

    – Mircea Vutcovici
    Jun 7 '16 at 2:37













  • Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.

    – Mikz
    Jun 7 '16 at 8:58
















4















Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?



I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:




  1. A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.

  2. Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".


Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.



There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.










share|improve this question
















bumped to the homepage by Community 8 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.

    – Mircea Vutcovici
    Jun 6 '16 at 22:11











  • Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.

    – Mikz
    Jun 6 '16 at 22:18











  • You could use a different IP for GitLab and have both SSH servers on port 22.

    – Mircea Vutcovici
    Jun 7 '16 at 2:37













  • Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.

    – Mikz
    Jun 7 '16 at 8:58














4












4








4


2






Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?



I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:




  1. A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.

  2. Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".


Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.



There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.










share|improve this question
















Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?



I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys.
So the setup that I'd like to create is either of the following:




  1. A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.

  2. Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".


Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.



There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.







linux networking ssh git docker






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 23 '17 at 12:41









Community

1




1










asked Jun 6 '16 at 21:15









MikzMikz

1262




1262





bumped to the homepage by Community 8 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 8 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.

    – Mircea Vutcovici
    Jun 6 '16 at 22:11











  • Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.

    – Mikz
    Jun 6 '16 at 22:18











  • You could use a different IP for GitLab and have both SSH servers on port 22.

    – Mircea Vutcovici
    Jun 7 '16 at 2:37













  • Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.

    – Mikz
    Jun 7 '16 at 8:58



















  • Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.

    – Mircea Vutcovici
    Jun 6 '16 at 22:11











  • Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.

    – Mikz
    Jun 6 '16 at 22:18











  • You could use a different IP for GitLab and have both SSH servers on port 22.

    – Mircea Vutcovici
    Jun 7 '16 at 2:37













  • Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.

    – Mikz
    Jun 7 '16 at 8:58

















Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.

– Mircea Vutcovici
Jun 6 '16 at 22:11





Which problem are you trying to solve? I think your question is more about the solution you think is the right one and not about may be a better solution you haven't took in consideration.

– Mircea Vutcovici
Jun 6 '16 at 22:11













Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.

– Mikz
Jun 6 '16 at 22:18





Well, one solution is just to expose Docker at 22 and host SSH for example at 222 (or another one). But I'm interested both to be available at the same port and distinguished by the username - I don't yet know the right solution for that.

– Mikz
Jun 6 '16 at 22:18













You could use a different IP for GitLab and have both SSH servers on port 22.

– Mircea Vutcovici
Jun 7 '16 at 2:37







You could use a different IP for GitLab and have both SSH servers on port 22.

– Mircea Vutcovici
Jun 7 '16 at 2:37















Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.

– Mikz
Jun 7 '16 at 8:58





Yep, I am aware of this, but unfortunately I've got single IP for the whole machine.

– Mikz
Jun 7 '16 at 8:58










1 Answer
1






active

oldest

votes


















0














The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port in authorized_keys.



Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID and DNAT target.






share|improve this answer
























  • I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)

    – Mikz
    Jun 6 '16 at 21:58











  • Basically you need something like... -t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP

    – Mircea Vutcovici
    Jun 6 '16 at 22:09






  • 2





    Thanks, I'll look into that! I'll definitely post some feedback

    – Mikz
    Jun 6 '16 at 22:25











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f782319%2fmake-ssh-server-to-forward-connection-per-user%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port in authorized_keys.



Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID and DNAT target.






share|improve this answer
























  • I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)

    – Mikz
    Jun 6 '16 at 21:58











  • Basically you need something like... -t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP

    – Mircea Vutcovici
    Jun 6 '16 at 22:09






  • 2





    Thanks, I'll look into that! I'll definitely post some feedback

    – Mikz
    Jun 6 '16 at 22:25
















0














The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port in authorized_keys.



Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID and DNAT target.






share|improve this answer
























  • I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)

    – Mikz
    Jun 6 '16 at 21:58











  • Basically you need something like... -t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP

    – Mircea Vutcovici
    Jun 6 '16 at 22:09






  • 2





    Thanks, I'll look into that! I'll definitely post some feedback

    – Mikz
    Jun 6 '16 at 22:25














0












0








0







The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port in authorized_keys.



Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID and DNAT target.






share|improve this answer













The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port in authorized_keys.



Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID and DNAT target.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jun 6 '16 at 21:33









Mircea VutcoviciMircea Vutcovici

13.2k33966




13.2k33966













  • I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)

    – Mikz
    Jun 6 '16 at 21:58











  • Basically you need something like... -t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP

    – Mircea Vutcovici
    Jun 6 '16 at 22:09






  • 2





    Thanks, I'll look into that! I'll definitely post some feedback

    – Mikz
    Jun 6 '16 at 22:25



















  • I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)

    – Mikz
    Jun 6 '16 at 21:58











  • Basically you need something like... -t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP

    – Mircea Vutcovici
    Jun 6 '16 at 22:09






  • 2





    Thanks, I'll look into that! I'll definitely post some feedback

    – Mikz
    Jun 6 '16 at 22:25

















I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)

– Mikz
Jun 6 '16 at 21:58





I'm interested in the server way that doesn't require client to modify ssh config on the client. At your second advice - could you be a little more specific? That article: linuxpoison.blogspot.com/2010/11/… states that flags that you provided can limit output traffic from a specific user ON the machine. I want to filter connections by username that tries to log in FROM outside and forward them to another IP if username matches some string ("git" on that specific case)

– Mikz
Jun 6 '16 at 21:58













Basically you need something like... -t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP

– Mircea Vutcovici
Jun 6 '16 at 22:09





Basically you need something like... -t nat -A PREROUTING -m owner --uid-owner $UID -j DNAT --to-destination $GITIP

– Mircea Vutcovici
Jun 6 '16 at 22:09




2




2





Thanks, I'll look into that! I'll definitely post some feedback

– Mikz
Jun 6 '16 at 22:25





Thanks, I'll look into that! I'll definitely post some feedback

– Mikz
Jun 6 '16 at 22:25


















draft saved

draft discarded




















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f782319%2fmake-ssh-server-to-forward-connection-per-user%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

Список ссавців Італії Природоохоронні статуси | Список |...

Маріан Котлеба Зміст Життєпис | Політичні погляди |...