Hello OpenSSH team,
(New subscriber and very first message... by the way thanks for bringing
ssh to the wolrd).
I have a question, maybe not so simple.
_The question in short :
_
Context :_
_
In a jump configuration HostA -> (HostB) -> HostC
The classical way to connect is :
usera@hosta $ *ssh -J userb@hostb userc@hostc*
And to make it "locally transparent" I can use ProxyJump in
.ssh/config :
*HOST *hostc*ProxyJump *hostb
(I can even use ProxyCommand if i want to make things more
complicated or if ssh version does not allow ProxyJump)
Then i can just connect to hostC with :
ssh *userc@hostc*
The question :
Is there a way to achieve the same "simplification" but with a setting
on hostb instead of hosta ?
(The goal is to avoid asking users to make such local configuration)
I'd imagine something like a command in .ssh/authorized_keys of userb :
command="/usr/bin/ssh --magic --proxyjumpto userc@hostc" ssh-ed25519
AAAAblahblahblahblahthekeyofusera
(And ideally i'd forward blindly without checking the key as hostc will
do the real check)
====
Long version and real case :
I'm willing to replace an old git infrastructure (local gitolite) with a
brand new gitlab... in a container.
hosta would be the computer of a contributor, hostb would be the machine
hosting the container, hostc would be the gitlab container itself.
The ports i have open currently for the host machine are 80, 443 and
22... perfect for gitlab and standard and everything... but if both
gitlab in the docker and sshd on the host need port 22 i have a problem...
If I map port 22:22 for the gitlab container that would need me to
change the port for sshd to something higher (and i'd rather avoid
it)... if i map the gitlab port like 22:2022 it would require
contributors to use an exotic port which might annoy them or even be
blocked for some of them.
Both options are annoying.
So i'm searching a tricky way to keep port 22 for both and forward
transparently ssh to git@thegitlabcontainer only for users connecting to
the host (with git user) git@xxxxxxxxxxxxxxxxxxxxxxxx
====
I checked the documentation, made tries with -W... without success
I asked to Linux gurus around me without success... they've never seen
this case. So in last resort I escalate to higher level : the source of
openssh project = you guys :)
With high hopes,
Maât
(PS : sorry list owners for polluting your mail box i did sent it to
-owner@list address first... and with html shame on me)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev