HOWTO (advanced) ssh transparent proxy jump

Maât maat-ml at mageia.biz
Sun Oct 20 03:57:38 AEDT 2024 

Hello OpenSSH team,

(New subscriber and very first message... by the way thanks for bringing 
ssh to the wolrd).

I have a question, maybe not so simple.

_The question in short :
_

Context  :_
_

    In a jump configuration HostA -> (HostB) -> HostC

    The classical way to connect is :

        usera at hosta $ *ssh -J userb at hostb userc at hostc*

    And to make it "locally transparent" I can use ProxyJump in
    .ssh/config :

        *HOST *hostc*ProxyJump *hostb

    (I can even use ProxyCommand if i want to make things more
    complicated or if ssh version does not allow ProxyJump)

    Then  i can just connect to hostC with :

        ssh *userc at hostc*

The question :

Is there a way to achieve the same "simplification" but with a setting 
on hostb instead of hosta ?

(The goal is to avoid asking users to make such local configuration)

I'd imagine something like a command in .ssh/authorized_keys of userb :

    command="/usr/bin/ssh --magic --proxyjumpto userc at hostc" ssh-ed25519
    AAAAblahblahblahblahthekeyofusera

(And ideally i'd forward blindly without checking the key as hostc will 
do the real check)


====

Long version and real case :

I'm willing to replace an old git infrastructure (local gitolite) with a 
brand new gitlab... in a container.

hosta would be the computer of a contributor, hostb would be the machine 
hosting the container, hostc would be the gitlab container itself.

The ports i have open currently for the host machine are 80, 443 and 
22... perfect for gitlab and standard and everything... but if both 
gitlab in the docker and sshd on the host need port 22 i have a problem...

If I map port 22:22 for the gitlab container that would need me to 
change the port for sshd to something higher (and i'd rather avoid 
it)... if i map the gitlab port like 22:2022 it would require 
contributors to use an exotic port which might annoy them or even be 
blocked for some of them.

Both options are annoying.

So i'm searching a tricky way to keep port 22 for both and forward 
transparently ssh to git at thegitlabcontainer only for users connecting to 
the host (with git user) git at mynewgit.mycommunity.org

====

I checked the documentation, made tries with -W... without success

I asked to Linux gurus around me without success... they've never seen 
this case. So in last resort I escalate to higher level : the source of 
openssh project = you guys :)

With high hopes,

Maât

(PS : sorry list owners for polluting your mail box i did sent it to 
-owner at list address first... and with html shame on me)

More information about the openssh-unix-dev mailing list