Redirect SSH Users for Docker: Gitlab and Docker: Bitbucket
Solution 1:
I don't think you really need to "redirect the ssh key used", you can create a key/cert per user who has her key as authorized_keys, and then you can use ssh -i $key $final_destination
via ForceCommand.
If you would use AuthorizedKeysCommand
you can query a central repository of public keys, this could return 2 lines - one for real users public ssh key and the second for an "internal public ssh key", you can distinguish those two lines with a comment and query this repository for a key based on info from which host you do the query. Eg. on jump host you could filter the public key which has for example this comment 'foouser@', on final destination you could on the contrary query foouser's public key with comment '@internal'. With recent OpenSSH, you could on jump host use ExposeAuthInfo
sshd option to know which public ssh key was used to login into jump host, then you could re-query central repository for the keys and grep one which matches one in $SSH_USER_AUTH. This way would would know based on returned line with public ssh key and comment which private key to use to do ssh to final destination.
The user does not really care how she logged into final host, especially if it is not an interactive shell.
AuthorizedKeysCommand on jumphost and final destination:
#!/bin/sh
user=$1 # git !
filter=$2 # @$
cat /home/git/.ssh/authorized_keys 2>/dev/null | grep "${filter:-@$}"
exit 0
sshd_config on jump host:
ExposeAuthInfo yes
Match User git
AuthorizedKeysCommand /path/to/authorizedkeyscommand git # @$ as default
ForceCommand /path/to/forcecommand git
AuthorizedKeysCommand can return:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILleQxrxxxxxxxxxxxxxxxxxxx foouser@
ForceCommand on jump host:
#!/bin/ksh
set -x
user=$1 # git
if [[ -r ${SSH_USER_AUTH} ]]; then
pubkey="$(cat ${SSH_USER_AUTH} | cut -d' ' -f2-)"
realuser=$(/path/to/authorizedkeyscommand git | grep "${pubkey}" | sed 's/^.* \([^@]*\)@$/\1/' )
[[ -n ${realuser} ]] && exec ssh -i $HOME/${realuser}_key <final_destination> "${SSH_ORIGINAL_COMMAND:-}"
else
exit 1
fi
Something like this...