"Virtual hosts" for SSH [duplicate]

ssh linux

We have a remote Xen server running a lot of guest machines (on Linux), with only a couple of IPs available.

Each guest machine should be directly accessible by the SSH from the outer world.

Right now we assign a separate domain name to each guest machine, pointing to one of the few available IPs. We also assign a port number to that guest machine.

So, to access machine named foo, one should do as follows:

$ ssh foo.example.com -p 12345

...And to access machine named bar:

$ ssh bar.example.com -p 12346

Both foo.example.com and bar.example.com point to the same IP.

Is it possible to somehow get rid of custom ports in this configuration and configure SSH server, listening at that IP (or firewall or whatever on server side), so it would route the incoming connection to the correct guest machine, based on the domain address, so that following works as intended?

$ ssh foo.example.com hostname # prints foo
$ ssh bar.example.com hostname # prints bar

Note that I do know about .ssh/config and related client-side configuration solutions, we're using that now. This question is specifically about a zero client configuration solution.


                         foo  
                        /
Client ----- Xen server
                        \
                         bar

It sounds like SSH Gateway is what you're looking for.

Firstly, create 2 new users foo, bar on the Xen server:

Xen # useradd foo
Xen # useradd bar

Generate key pairs and copy public key to the foo-server and bar-server:

Xen # su - foo
Xen $ ssh-keygen
Xen $ ssh-copy-id -i ~/.ssh/id_rsa.pub foo-user@foo-server

(Do the same for bar user)

Now, from the Xen server (SSH Gateway) you can login to the foo-server and bar-server without password prompt.

The next step is to let the Client authenticate to the Xen server with public key:

Client $ ssh-keygen
Client $ ssh-copy-id -i ~/.ssh/id_rsa.pub foo@Xen

and the final step is make Xen server open a second connection to the corresponding internal server. Access to Xen, switch to foo, open the ~/.ssh/authorized_keys file and change:

ssh-rsa AAAAB3N...== user@clienthost

to:

command="ssh -t -t foo-user@foo-server" ssh-rsa AAAAB3N...== user@clienthost

The sample result:

$ ssh foo-user@Xen
Last login: Thu Nov 10 13:02:25 2011 from Client
$ id
uid=500(foo-user) gid=500(foo-user) groups=500(foo-user) context=user_u:system_r:unconfined_t
$ exit
logout

Connection to foo-server closed.
Connection to Xen closed.

$ ssh bar-user@Xen
Last login: Thu Nov 10 11:28:52 2011 from Client
$ id
uid=500(bar-user) gid=500(bar-user) groups=500(bar-user) context=user_u:system_r:unconfined_t
$ exit
logout

Connection to bar-server closed.
Connection to Xen closed.

Yes, it is possible, but I know of no SSH server or proxy that supports it. You can't use the syntax you suggest though. You'd have to encode the desired host in the user name. For example ssh -u jsmith@foo foo.example.com. The foo.example.com just gives the IP address. The master SSH server running on port 22 would have to 'route' based on what comes after the @ in the user name.


As a solution you can use a bonjour, uPNP, DNS/srv based ssh client/wrapper and advertise the services via those protocols. See: http://eric.windisch.us/software/zerossh/

Related

What Warning and Critical values to use for check_load?
What's the difference between a gateway and a router?
How difficult is it to setup a mailserver?
How to wake a server after UPS Shuts it down when Mains power is restored?
Commit or revert a Linux LVM snapshot?
How can I detect unwanted intrusions on my servers?
Best practice for testing chef recipes?
Enabling nginx Chunked Transfer Encoding
VPN Connection causes DNS to use wrong DNS server
Duplicate MAC address on the same LAN possible?
How to use "Instance Store Volumes" storage in Amazon EC2?
HAProxy to terminate SSL also send SSL to backend server