SSH gateway with all config on the gateway?

Solution 1:

That article makes use of a relatively underused feature of the openssh and the ~/.ssh/authorized_keys file format - namely: the ability to configure options/restrictions that will be set when a particular keypair is used to log in.
One of those options is the command="/path/to/command [-o options]" that will ensure that instead of a normal interactive login shell a different, custom command will be executed.

By setting that custom command to command="ssh user@container" what will effectively happen is that when a session ssh login@host succeeds with a specific keypair, an ssh session will started that presents the password prompt (and access) to the user account on a specific container.

The easiest is that you set up a single account on your host for that.
You would request that every customer provides you with their public key.
When customers have multiple containers they will need one keypair per container.

You instruct all your customers to use their keypair to authenticate an log in to 1 account, for instance [email protected]

In the home directory /home/access/.ssh/authorized_keys there will be one line for each customer/public_key

command="ssh user1@container1" ssh-rsa AAAAB5..base64_encoded_key_customer1... COMMENT
command="ssh user2@container2" ssh-rsa AAAAB5..base64_encoded_key_customer2... OTHER-COMMENT