Has anyone done SSH proxying that is transparent to the user, but the end host they are routed to is determined by any of the following: username, identity key, DNS hostname. I guess DNS hostname isn't possible with the protocol, but it could use the identity key.
For example, I want users to be able to all SSH to the same machine, but they end up on different VPS nodes: ssh -i identity_rsa user@example.com.
There are a few very nice features of doing this:
- The RSA host key is the same no matter what VPS you SSH into.
- The hostname could be the same, or (dubious) it could route on subdomain names. I'm not sure if this is in the protocol or it only uses the IP address to connect to a TCP socket.
- Zero configuration on the client side (proxy commands, multiple ssh tunnels, etc)
- All traffic is funneled through a gateway.
I'm worried this requires a custom (legitimate) MitM SSH server, because I want a normal end-to-end SSH connection that can do SCP and agent-forwarding.
Can agent forwarding work with forced commands? Could I create forced commands based on the public key, call SSH -A to the inside host?
No comments:
Post a Comment