HOWTO (advanced) ssh transparent proxy jump

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello OpenSSH team,

(New subscriber and very first message... by the way thanks for bringing ssh to the wolrd).

I have a question, maybe not so simple.

_The question in short :
_

Context  :_
_

   In a jump configuration HostA -> (HostB) -> HostC

   The classical way to connect is :

       usera@hosta $ *ssh -J userb@hostb userc@hostc*

   And to make it "locally transparent" I can use ProxyJump in
   .ssh/config :

       *HOST *hostc*ProxyJump *hostb

   (I can even use ProxyCommand if i want to make things more
   complicated or if ssh version does not allow ProxyJump)

   Then  i can just connect to hostC with :

       ssh *userc@hostc*

The question :

Is there a way to achieve the same "simplification" but with a setting on hostb instead of hosta ?

(The goal is to avoid asking users to make such local configuration)

I'd imagine something like a command in .ssh/authorized_keys of userb :

   command="/usr/bin/ssh --magic --proxyjumpto userc@hostc" ssh-ed25519
   AAAAblahblahblahblahthekeyofusera

(And ideally i'd forward blindly without checking the key as hostc will do the real check)


====

Long version and real case :

I'm willing to replace an old git infrastructure (local gitolite) with a brand new gitlab... in a container.

hosta would be the computer of a contributor, hostb would be the machine hosting the container, hostc would be the gitlab container itself.

The ports i have open currently for the host machine are 80, 443 and 22... perfect for gitlab and standard and everything... but if both gitlab in the docker and sshd on the host need port 22 i have a problem...

If I map port 22:22 for the gitlab container that would need me to change the port for sshd to something higher (and i'd rather avoid it)... if i map the gitlab port like 22:2022 it would require contributors to use an exotic port which might annoy them or even be blocked for some of them.

Both options are annoying.

So i'm searching a tricky way to keep port 22 for both and forward transparently ssh to git@thegitlabcontainer only for users connecting to the host (with git user) git@xxxxxxxxxxxxxxxxxxxxxxxx

====

I checked the documentation, made tries with -W... without success

I asked to Linux gurus around me without success... they've never seen this case. So in last resort I escalate to higher level : the source of openssh project = you guys :)

With high hopes,

Maât

(PS : sorry list owners for polluting your mail box i did sent it to -owner@list address first... and with html shame on me)


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux