Make SSH server to forward connection per user
Is there any way to force OpenSSH (or create a proxy of some kind) to forward one user to one machine and another user to another machine just by the username that he (or she) provided?
I've got following problem: I'm going to run GitLab in Docker container and simultaneously SSH server on the host machine. GitLab listens to SSH connections, but it's interested only in "git" user distinguishing clients by SSH keys. So the setup that I'd like to create is either of the following:
- A proxy on port 22 on the host machine that forwards whole session to Docker Gitlab when provided user is "git" or to the host SSH (might listen to another port, what's important is the client isn't aware of this) when username is different.
- Host SSH handling every user except "git" internally and forwarding session to Docker container when username is "git".
Just to be clear: Docker container runs a bridge and it's reachable from the host by unique IP address different from host IP.
There was a similar question asked on the StackOverflow (https://stackoverflow.com/questions/8505445/setup-ssh-server-to-forward-connections), but there was no answer that solves that problem - most helpful was the one suggesting custom shell but I found no way to create something like that.
Solution 1:
The SSH TCP port tunneling is configured by the ssh client. On the server, you can only limit the tunneling configuration using permitopen=host:port
in authorized_keys.
Another way to redirect the traffic would be to use Netfilter/iptables with -m owner --uid-owner $UID
and DNAT target.