Username based SSH proxy
I'm trying to mux between two ssh servers based on incoming username i.e.
ssh user1@testserver will go to one sshd instance and user2@testserver goes to another.
Can this be done?
Solution 1:
I think you can do this with ForceCommand
, like:
ForceCommand proxyscript
in /etc/sshd/sshd_config. Here proxyscript
would be a custom script that would ssh to whatever the next server should be, depending on which user is running it. The script would have enough information to do that because according to the man page for sshd_config, it will run under the user's login shell, so for example $USER will be available.
If you only have a small, fixed set of users who you want to do this for, then you can configure it all in sshd_config with for example
Match User user1
ForceCommand ssh user1@host1
Match User user2
ForceCommand ssh user2@host2
But I don't know if this would correctly hook up the standard out/in of the incoming connection to standard in/out of the new ssh command.
Solution 2:
This is quite nontrivial to do transparently (maybe tweak an SSH honeypot program to auto-login and then use ForceCommand
to handle the proxy? sounds messy), but you could set up a proxy and instruct your users on how to use it easily enough.
This concept is called an SSH bastion host. No special software is needed on the proxy (the bastion). The only software the end users need access to is netcat (nc
), so you could create a rather bare-bones jail for them if you wanted.
Each OS X / Linux / BSD / UNIX user would have an entry in their ~/.ssh/config
file (on their local clients, not the bastion) that looks like this:
Host MYSERVER
ProxyCommand ssh BASTION nc -w 600 USER1_SERVER 22
Each user's config would only differ in the target server (e.g. USER1_SERVER), which is connected to on the local network by the bastion. (If user names differ, consider ProxyCommand ssh BASTION_USERNAME@BASTION nc -w 600 USER1_SERVER_USERNAME@USER1_SERVER 22
.)
That's actually all there is to it. Now USER1 can run ssh MYSERVER
. If not using SSH keys, USER1 will be prompted for a password to BASTION, then a password to the internal system USER1_SERVER. If using SSH keys, and USER1's public key is installed in both BASTION and USER1_SERVER, login will be automatic.
Windows users can do this through PuTTY by using plink
(a part of PuTTY). Here is a guide.
If you want to tightly restrict the user on the bastion, you can do this:
Match User user1
ForceCommand nc -w 600 USER1_SERVER 22
... though this does prevent user1 from managing their authorized_keys file on the bastion.