Redirect ssh trafic for one user through another portssh-agent forwarding and sudo to another userForced per-user ssh portSelecting Interface for SSH Port ForwardingSSH & SFTP: Should I assign one port to each user to facilitate bandwidth monitoring?Prerouting SSH to different internal portCan I make sshd forward connections to another port for a specific user?SSH to Remote host via another hostHow to remove a port bind still used by sshd after an improper deconnection from ssh?Redirect SSH connexion to another port in function of (sub)domaineForward one SSH user login to a different SSH server
How to modify a string without altering its text properties
Counterfeit checks were created for my account. How does this type of fraud work?
Freewill and rewarding dogs
In a list with unique pairs A, B, how can I sort them so that the last B is the first A in the next pair?
How much steel armor can you wear and still be able to swim?
Why is Havana covered in 5-digit numbers in Our Man in Havana?
Leaving job close to major deadlines
Can the pre-order traversal of two different trees be the same even though they are different?
Kelvin type connection
What kind of chart is this?
What is this airplane that sits in front of Barringer High School in Newark, NJ?
King or Queen-Which piece is which?
Why does a Force divides equally on a Multiple Support/Legs?
Am I legally required to provide a (GPL licensed) source code even after a project is abandoned?
Story of a Witch Boy
Parse JSON in LWC
「捨ててしまう」why is there two て’s used here?
Why are there no file insertion syscalls
Draw a symmetric alien head
What is that ceiling compartment of a Boeing 737?
Are there examples of rowers who also fought?
How do you transpose samples in cents?
How would one carboxylate CBG into its acid form, CBGA?
60's (or earlier) sci-fi short story about two spacecrafts exchanging plants for gold and thinking they got the better of the exchange
Redirect ssh trafic for one user through another port
ssh-agent forwarding and sudo to another userForced per-user ssh portSelecting Interface for SSH Port ForwardingSSH & SFTP: Should I assign one port to each user to facilitate bandwidth monitoring?Prerouting SSH to different internal portCan I make sshd forward connections to another port for a specific user?SSH to Remote host via another hostHow to remove a port bind still used by sshd after an improper deconnection from ssh?Redirect SSH connexion to another port in function of (sub)domaineForward one SSH user login to a different SSH server
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
Is it possible to have a configuration like this:
- A server which listen ssh connections on port 22 as usual
- For one user (let's say git) redirect all the traffic through another port (2222 for instance)
As a result the command ssh git@host will produce the same result as ssh -p 2222 git@host.
Basically I try to have a sort of reverse proxy on ssh but as I know we can't use sub domains to distinguish ssh incoming connection, I was wondering if we can accomplish this kind of thing with an user approach.
Edit:
The reason is I have set up a gitolite server in a Docker container so at the end I have a ssh daemon which listen on the port 2222 for git purpose.
Additionally I have a "regular" ssh daemon which listen on the port 22 (and I want keep it).
Of course I can access to the git server through the port 2222 (if I open it from the outside) but I was wondering if I can use the "regular" ssh server from remote and then locally redirect it to the "git" ssh for the user git.
So the traffic will be something like this for the user git:
client <==> 22:server:2222:git_container
ssh port port-forwarding
asked Sep 8 '14 at 15:18
FabiFFabiF
1213
add a comment |
Is it possible to have a configuration like this:
- A server which listen ssh connections on port 22 as usual
- For one user (let's say git) redirect all the traffic through another port (2222 for instance)
As a result the command ssh git@host will produce the same result as ssh -p 2222 git@host.
Basically I try to have a sort of reverse proxy on ssh but as I know we can't use sub domains to distinguish ssh incoming connection, I was wondering if we can accomplish this kind of thing with an user approach.
Edit:
The reason is I have set up a gitolite server in a Docker container so at the end I have a ssh daemon which listen on the port 2222 for git purpose.
Additionally I have a "regular" ssh daemon which listen on the port 22 (and I want keep it).
Of course I can access to the git server through the port 2222 (if I open it from the outside) but I was wondering if I can use the "regular" ssh server from remote and then locally redirect it to the "git" ssh for the user git.
So the traffic will be something like this for the user git:
client <==> 22:server:2222:git_container
ssh port port-forwarding
asked Sep 8 '14 at 15:18
FabiFFabiF
1213
What are you trying to accomplish?
– Michael Hampton♦
Sep 8 '14 at 15:29
1
Could you rephrase and add more info about the "reverse proxy" thing you want? You can force a local user to always connect using a default SSH port instead of regular 22 (local user, not remote user), and set up a server to listen on several ports, but as per sshd_config you cannot have amatchfor a user with a specificportrelated directly.
– NuTTyX
Sep 8 '14 at 17:27
I added some details, I hope it's more understandable. I think that I want is not possible but it's the best place to get fixed.
– FabiF
Sep 8 '14 at 22:56
1
I'm dealing with similar requirements and it looks like sshpiper is what we need: github.com/tg123/sshpiper
– dumolibr
May 6 '15 at 15:34
@dumolibr Thanks a lot, it's exactly what I was looking for.
– FabiF
May 7 '15 at 8:36
add a comment |
Is it possible to have a configuration like this:
- A server which listen ssh connections on port 22 as usual
- For one user (let's say git) redirect all the traffic through another port (2222 for instance)
As a result the command ssh git@host will produce the same result as ssh -p 2222 git@host.
Basically I try to have a sort of reverse proxy on ssh but as I know we can't use sub domains to distinguish ssh incoming connection, I was wondering if we can accomplish this kind of thing with an user approach.
Edit:
The reason is I have set up a gitolite server in a Docker container so at the end I have a ssh daemon which listen on the port 2222 for git purpose.
Additionally I have a "regular" ssh daemon which listen on the port 22 (and I want keep it).
Of course I can access to the git server through the port 2222 (if I open it from the outside) but I was wondering if I can use the "regular" ssh server from remote and then locally redirect it to the "git" ssh for the user git.
So the traffic will be something like this for the user git:
client <==> 22:server:2222:git_container
ssh port port-forwarding
asked Sep 8 '14 at 15:18
FabiFFabiF
1213
Is it possible to have a configuration like this:
- A server which listen ssh connections on port 22 as usual
- For one user (let's say git) redirect all the traffic through another port (2222 for instance)
As a result the command ssh git@host will produce the same result as ssh -p 2222 git@host.
Basically I try to have a sort of reverse proxy on ssh but as I know we can't use sub domains to distinguish ssh incoming connection, I was wondering if we can accomplish this kind of thing with an user approach.
Edit:
The reason is I have set up a gitolite server in a Docker container so at the end I have a ssh daemon which listen on the port 2222 for git purpose.
Additionally I have a "regular" ssh daemon which listen on the port 22 (and I want keep it).
Of course I can access to the git server through the port 2222 (if I open it from the outside) but I was wondering if I can use the "regular" ssh server from remote and then locally redirect it to the "git" ssh for the user git.
So the traffic will be something like this for the user git:
client <==> 22:server:2222:git_container
ssh port port-forwarding
ssh port port-forwarding
asked Sep 8 '14 at 15:18
FabiFFabiF
1213
asked Sep 8 '14 at 15:18
FabiFFabiF
1213
edited Sep 8 '14 at 22:52
FabiF
asked Sep 8 '14 at 15:18
FabiFFabiF
1213
asked Sep 8 '14 at 15:18
FabiFFabiF
1213
asked Sep 8 '14 at 15:18
FabiFFabiF
1213
1213
What are you trying to accomplish?
– Michael Hampton♦
Sep 8 '14 at 15:29
1
Could you rephrase and add more info about the "reverse proxy" thing you want? You can force a local user to always connect using a default SSH port instead of regular 22 (local user, not remote user), and set up a server to listen on several ports, but as per sshd_config you cannot have amatchfor a user with a specificportrelated directly.
– NuTTyX
Sep 8 '14 at 17:27
I added some details, I hope it's more understandable. I think that I want is not possible but it's the best place to get fixed.
– FabiF
Sep 8 '14 at 22:56
1
I'm dealing with similar requirements and it looks like sshpiper is what we need: github.com/tg123/sshpiper
– dumolibr
May 6 '15 at 15:34
@dumolibr Thanks a lot, it's exactly what I was looking for.
– FabiF
May 7 '15 at 8:36
add a comment |
What are you trying to accomplish?
– Michael Hampton♦
Sep 8 '14 at 15:29
1
Could you rephrase and add more info about the "reverse proxy" thing you want? You can force a local user to always connect using a default SSH port instead of regular 22 (local user, not remote user), and set up a server to listen on several ports, but as per sshd_config you cannot have amatchfor a user with a specificportrelated directly.
– NuTTyX
Sep 8 '14 at 17:27
I added some details, I hope it's more understandable. I think that I want is not possible but it's the best place to get fixed.
– FabiF
Sep 8 '14 at 22:56
1
I'm dealing with similar requirements and it looks like sshpiper is what we need: github.com/tg123/sshpiper
– dumolibr
May 6 '15 at 15:34
@dumolibr Thanks a lot, it's exactly what I was looking for.
– FabiF
May 7 '15 at 8:36
What are you trying to accomplish?
– Michael Hampton♦
Sep 8 '14 at 15:29
What are you trying to accomplish?
– Michael Hampton♦
Sep 8 '14 at 15:29
1
1
Could you rephrase and add more info about the "reverse proxy" thing you want? You can force a local user to always connect using a default SSH port instead of regular 22 (local user, not remote user), and set up a server to listen on several ports, but as per sshd_config you cannot have a
match for a user with a specific port related directly.– NuTTyX
Sep 8 '14 at 17:27
Could you rephrase and add more info about the "reverse proxy" thing you want? You can force a local user to always connect using a default SSH port instead of regular 22 (local user, not remote user), and set up a server to listen on several ports, but as per sshd_config you cannot have a
match for a user with a specific port related directly.– NuTTyX
Sep 8 '14 at 17:27
I added some details, I hope it's more understandable. I think that I want is not possible but it's the best place to get fixed.
– FabiF
Sep 8 '14 at 22:56
I added some details, I hope it's more understandable. I think that I want is not possible but it's the best place to get fixed.
– FabiF
Sep 8 '14 at 22:56
1
1
I'm dealing with similar requirements and it looks like sshpiper is what we need: github.com/tg123/sshpiper
– dumolibr
May 6 '15 at 15:34
I'm dealing with similar requirements and it looks like sshpiper is what we need: github.com/tg123/sshpiper
– dumolibr
May 6 '15 at 15:34
@dumolibr Thanks a lot, it's exactly what I was looking for.
– FabiF
May 7 '15 at 8:36
@dumolibr Thanks a lot, it's exactly what I was looking for.
– FabiF
May 7 '15 at 8:36
add a comment |
2 Answers
2
active
oldest
votes
A simple TCP port-forwarding can't do it: the username is only mentioned further into the SSH protocol, so if you insist on starting off with ssh git@host, then there have to be two full SSH authentication handshakes. I am not aware of a generic SSH-proxy that could do that transparently. You could automate the second hop server-side, e.g. by making a shell script ssh -p 2222 localhost the user's shell on the outer host. But that would be not compatible with lots of SSH's nice perks, like port-forwarding, sftp, scp, ...
A better way would be to customize the client side. E.g. in ~/.ssh/config
Host git_host
Hostname host
Port 2222
Username git
and then ssh git_host (instead of ssh git@host).
If you have to walk through the outer host first (e.g. because you have no direct visibility to port 2222), then you could use these tricks here, e.g.
Host git_host
Hostname host
Username git
ProxyCommand ssh -q git@host nc -q0 localhost 2222
(might not be 100% correct, play with the options)
answered Sep 9 '14 at 9:40
Nils ToedtmannNils Toedtmann
1,68421833
I'm trying to avoid client side customization (sadly a minor ssh configuration can be too much for some users...). But it sounds like I have no user transparently solution, I'm not so surprised. Thanks for your time.
– FabiF
Sep 9 '14 at 10:09
1
Maybe you can have a 2nd IP address on the host and portforward its port 22?
– Nils Toedtmann
Sep 9 '14 at 10:36
add a comment |
Configure your regular SSH server to listen on a non standard port. Then you can configure gitolite to use the now free port 22.
This makes it easy for your users, and you seem capable enough to use ssh on a different port.
answered Jun 2 at 6:57
Gerald SchneiderGerald Schneider
7,31832748
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f627030%2fredirect-ssh-trafic-for-one-user-through-another-port%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
A simple TCP port-forwarding can't do it: the username is only mentioned further into the SSH protocol, so if you insist on starting off with ssh git@host, then there have to be two full SSH authentication handshakes. I am not aware of a generic SSH-proxy that could do that transparently. You could automate the second hop server-side, e.g. by making a shell script ssh -p 2222 localhost the user's shell on the outer host. But that would be not compatible with lots of SSH's nice perks, like port-forwarding, sftp, scp, ...
A better way would be to customize the client side. E.g. in ~/.ssh/config
Host git_host
Hostname host
Port 2222
Username git
and then ssh git_host (instead of ssh git@host).
If you have to walk through the outer host first (e.g. because you have no direct visibility to port 2222), then you could use these tricks here, e.g.
Host git_host
Hostname host
Username git
ProxyCommand ssh -q git@host nc -q0 localhost 2222
(might not be 100% correct, play with the options)
answered Sep 9 '14 at 9:40
Nils ToedtmannNils Toedtmann
1,68421833
I'm trying to avoid client side customization (sadly a minor ssh configuration can be too much for some users...). But it sounds like I have no user transparently solution, I'm not so surprised. Thanks for your time.
– FabiF
Sep 9 '14 at 10:09
1
Maybe you can have a 2nd IP address on the host and portforward its port 22?
– Nils Toedtmann
Sep 9 '14 at 10:36
add a comment |
A simple TCP port-forwarding can't do it: the username is only mentioned further into the SSH protocol, so if you insist on starting off with ssh git@host, then there have to be two full SSH authentication handshakes. I am not aware of a generic SSH-proxy that could do that transparently. You could automate the second hop server-side, e.g. by making a shell script ssh -p 2222 localhost the user's shell on the outer host. But that would be not compatible with lots of SSH's nice perks, like port-forwarding, sftp, scp, ...
A better way would be to customize the client side. E.g. in ~/.ssh/config
Host git_host
Hostname host
Port 2222
Username git
and then ssh git_host (instead of ssh git@host).
If you have to walk through the outer host first (e.g. because you have no direct visibility to port 2222), then you could use these tricks here, e.g.
Host git_host
Hostname host
Username git
ProxyCommand ssh -q git@host nc -q0 localhost 2222
(might not be 100% correct, play with the options)
answered Sep 9 '14 at 9:40
Nils ToedtmannNils Toedtmann
1,68421833
I'm trying to avoid client side customization (sadly a minor ssh configuration can be too much for some users...). But it sounds like I have no user transparently solution, I'm not so surprised. Thanks for your time.
– FabiF
Sep 9 '14 at 10:09
1
Maybe you can have a 2nd IP address on the host and portforward its port 22?
– Nils Toedtmann
Sep 9 '14 at 10:36
add a comment |
A simple TCP port-forwarding can't do it: the username is only mentioned further into the SSH protocol, so if you insist on starting off with ssh git@host, then there have to be two full SSH authentication handshakes. I am not aware of a generic SSH-proxy that could do that transparently. You could automate the second hop server-side, e.g. by making a shell script ssh -p 2222 localhost the user's shell on the outer host. But that would be not compatible with lots of SSH's nice perks, like port-forwarding, sftp, scp, ...
A better way would be to customize the client side. E.g. in ~/.ssh/config
Host git_host
Hostname host
Port 2222
Username git
and then ssh git_host (instead of ssh git@host).
If you have to walk through the outer host first (e.g. because you have no direct visibility to port 2222), then you could use these tricks here, e.g.
Host git_host
Hostname host
Username git
ProxyCommand ssh -q git@host nc -q0 localhost 2222
(might not be 100% correct, play with the options)
answered Sep 9 '14 at 9:40
Nils ToedtmannNils Toedtmann
1,68421833
A simple TCP port-forwarding can't do it: the username is only mentioned further into the SSH protocol, so if you insist on starting off with ssh git@host, then there have to be two full SSH authentication handshakes. I am not aware of a generic SSH-proxy that could do that transparently. You could automate the second hop server-side, e.g. by making a shell script ssh -p 2222 localhost the user's shell on the outer host. But that would be not compatible with lots of SSH's nice perks, like port-forwarding, sftp, scp, ...
A better way would be to customize the client side. E.g. in ~/.ssh/config
Host git_host
Hostname host
Port 2222
Username git
and then ssh git_host (instead of ssh git@host).
If you have to walk through the outer host first (e.g. because you have no direct visibility to port 2222), then you could use these tricks here, e.g.
Host git_host
Hostname host
Username git
ProxyCommand ssh -q git@host nc -q0 localhost 2222
(might not be 100% correct, play with the options)
answered Sep 9 '14 at 9:40
Nils ToedtmannNils Toedtmann
1,68421833
edited Sep 9 '14 at 10:00
answered Sep 9 '14 at 9:40
Nils ToedtmannNils Toedtmann
1,68421833
answered Sep 9 '14 at 9:40
Nils ToedtmannNils Toedtmann
1,68421833
answered Sep 9 '14 at 9:40
Nils ToedtmannNils Toedtmann
1,68421833
1,68421833
I'm trying to avoid client side customization (sadly a minor ssh configuration can be too much for some users...). But it sounds like I have no user transparently solution, I'm not so surprised. Thanks for your time.
– FabiF
Sep 9 '14 at 10:09
1
Maybe you can have a 2nd IP address on the host and portforward its port 22?
– Nils Toedtmann
Sep 9 '14 at 10:36
add a comment |
I'm trying to avoid client side customization (sadly a minor ssh configuration can be too much for some users...). But it sounds like I have no user transparently solution, I'm not so surprised. Thanks for your time.
– FabiF
Sep 9 '14 at 10:09
1
Maybe you can have a 2nd IP address on the host and portforward its port 22?
– Nils Toedtmann
Sep 9 '14 at 10:36
I'm trying to avoid client side customization (sadly a minor ssh configuration can be too much for some users...). But it sounds like I have no user transparently solution, I'm not so surprised. Thanks for your time.
– FabiF
Sep 9 '14 at 10:09
I'm trying to avoid client side customization (sadly a minor ssh configuration can be too much for some users...). But it sounds like I have no user transparently solution, I'm not so surprised. Thanks for your time.
– FabiF
Sep 9 '14 at 10:09
1
1
Maybe you can have a 2nd IP address on the host and portforward its port 22?
– Nils Toedtmann
Sep 9 '14 at 10:36
Maybe you can have a 2nd IP address on the host and portforward its port 22?
– Nils Toedtmann
Sep 9 '14 at 10:36
add a comment |
Configure your regular SSH server to listen on a non standard port. Then you can configure gitolite to use the now free port 22.
This makes it easy for your users, and you seem capable enough to use ssh on a different port.
answered Jun 2 at 6:57
Gerald SchneiderGerald Schneider
7,31832748
add a comment |
Configure your regular SSH server to listen on a non standard port. Then you can configure gitolite to use the now free port 22.
This makes it easy for your users, and you seem capable enough to use ssh on a different port.
answered Jun 2 at 6:57
Gerald SchneiderGerald Schneider
7,31832748
add a comment |
Configure your regular SSH server to listen on a non standard port. Then you can configure gitolite to use the now free port 22.
This makes it easy for your users, and you seem capable enough to use ssh on a different port.
answered Jun 2 at 6:57
Gerald SchneiderGerald Schneider
7,31832748
Configure your regular SSH server to listen on a non standard port. Then you can configure gitolite to use the now free port 22.
This makes it easy for your users, and you seem capable enough to use ssh on a different port.
answered Jun 2 at 6:57
Gerald SchneiderGerald Schneider
7,31832748
answered Jun 2 at 6:57
Gerald SchneiderGerald Schneider
7,31832748
answered Jun 2 at 6:57
Gerald SchneiderGerald Schneider
7,31832748
answered Jun 2 at 6:57
Gerald SchneiderGerald Schneider
7,31832748
7,31832748
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f627030%2fredirect-ssh-trafic-for-one-user-through-another-port%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What are you trying to accomplish?
– Michael Hampton♦
Sep 8 '14 at 15:29
1
Could you rephrase and add more info about the "reverse proxy" thing you want? You can force a local user to always connect using a default SSH port instead of regular 22 (local user, not remote user), and set up a server to listen on several ports, but as per sshd_config you cannot have a
matchfor a user with a specificportrelated directly.– NuTTyX
Sep 8 '14 at 17:27
I added some details, I hope it's more understandable. I think that I want is not possible but it's the best place to get fixed.
– FabiF
Sep 8 '14 at 22:56
1
I'm dealing with similar requirements and it looks like sshpiper is what we need: github.com/tg123/sshpiper
– dumolibr
May 6 '15 at 15:34
@dumolibr Thanks a lot, it's exactly what I was looking for.
– FabiF
May 7 '15 at 8:36