3

I have a ubuntu server running some LXD containers - none of these have public IP's, but are exposed to the web by a reverse proxy for HTTP.

These containers belong to different individuals and I would like to be able to allow them to login to the container via SSH. I don't want to allow users to be able to try passwords on containers other than their own one, And I don't want users to have to configure the SSH tunnel / gateway themselves.

So I'm wonderig if there's a way that I can set up an SSH gateway such that, based on the users key or username, the proxying is automated for them through the gateway.

This old article - http://quark.humbug.org.au/publications/ssh/ssh-tricks.html - seems to imply that something like this is possible: "The SSH gateway works by forcing a ssh to another host as a particular username, based on the ssh key."

However I can't find any other reading about it ... Is this something that can be done?

Sam
  • 133
  • Personally I think you will have an easier time setting up port forwarding for each container from an unused port on the host to the ssh port on the container. That will allow container owners to create extra accounts in their container and the only adjustment they will have to do for their SSH, SFTP and SCP is choosing the non-standard port you assign them instead of the default port 22. Otherwise you will have to set up something for each new user they create as well,increasing your administrative load considerably. – HBruijn Feb 07 '19 at 20:27

1 Answers1

5

That article makes use of a relatively underused feature of the openssh and the ~/.ssh/authorized_keys file format - namely: the ability to configure options/restrictions that will be set when a particular keypair is used to log in.
One of those options is the command="/path/to/command [-o options]" that will ensure that instead of a normal interactive login shell a different, custom command will be executed.

By setting that custom command to command="ssh user@container" what will effectively happen is that when a session ssh login@host succeeds with a specific keypair, an ssh session will started that presents the password prompt (and access) to the user account on a specific container.

The easiest is that you set up a single account on your host for that.
You would request that every customer provides you with their public key.
When customers have multiple containers they will need one keypair per container.

You instruct all your customers to use their keypair to authenticate an log in to 1 account, for instance access@yourhost.example.com

In the home directory /home/access/.ssh/authorized_keys there will be one line for each customer/public_key 

command="ssh user1@container1" ssh-rsa AAAAB5..base64_encoded_key_customer1... COMMENT
command="ssh user2@container2" ssh-rsa AAAAB5..base64_encoded_key_customer2... OTHER-COMMENT
HBruijn
  • 80,330
  • 24
  • 138
  • 209