Redirect SSH Users for Docker: Gitlab and Docker: Bitbucket

ssh docker redirect proxy

Solution 1:

I don't think you really need to "redirect the ssh key used", you can create a key/cert per user who has her key as authorized_keys, and then you can use ssh -i $key $final_destination via ForceCommand.

If you would use AuthorizedKeysCommand you can query a central repository of public keys, this could return 2 lines - one for real users public ssh key and the second for an "internal public ssh key", you can distinguish those two lines with a comment and query this repository for a key based on info from which host you do the query. Eg. on jump host you could filter the public key which has for example this comment 'foouser@', on final destination you could on the contrary query foouser's public key with comment '@internal'. With recent OpenSSH, you could on jump host use ExposeAuthInfo sshd option to know which public ssh key was used to login into jump host, then you could re-query central repository for the keys and grep one which matches one in $SSH_USER_AUTH. This way would would know based on returned line with public ssh key and comment which private key to use to do ssh to final destination.

The user does not really care how she logged into final host, especially if it is not an interactive shell.

AuthorizedKeysCommand on jumphost and final destination:

#!/bin/sh                                                                                                             
user=$1 # git !
filter=$2 # @$

cat /home/git/.ssh/authorized_keys 2>/dev/null | grep "${filter:-@$}"
exit 0

sshd_config on jump host:

ExposeAuthInfo yes
Match User git
    AuthorizedKeysCommand /path/to/authorizedkeyscommand git # @$ as default
    ForceCommand /path/to/forcecommand git

AuthorizedKeysCommand can return:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILleQxrxxxxxxxxxxxxxxxxxxx foouser@

ForceCommand on jump host:

#!/bin/ksh
set -x

user=$1 # git

if [[ -r ${SSH_USER_AUTH} ]]; then
    pubkey="$(cat ${SSH_USER_AUTH} | cut -d' ' -f2-)"
    realuser=$(/path/to/authorizedkeyscommand git | grep "${pubkey}" | sed 's/^.* \([^@]*\)@$/\1/' )
    [[ -n ${realuser} ]] && exec ssh -i $HOME/${realuser}_key <final_destination> "${SSH_ORIGINAL_COMMAND:-}"
else
    exit 1
fi

Something like this...

Related

Disabling LAN access to IPMI via ipmitool
How to map which volume resides on which partition in Windows?
GlusterFS Transport endpoint not connected from time to time
Unauthorized requests to Amazon S3 bucket
How to scan for Windows viruses on Linux servers?
Tuning sequential disk reads for performance
Difference between Class Driver and PCL Driver
NFS server not serving share after reboot
warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
What does "defer features updates" do in Windows Server 2016?
How can I lock out an account after a certain number of successful logins?
Apapche + php-fpm + mysql too slow on powerful server