I use LXC containers for ssh hosting and I would like to redirect SSH/SFTP traffic (using port 22) to the container's private IP address but on a user/IP basis. That is - one source port, many destinations.
- ssh ahes@server.com
- we have user 'ahes', private IP for this user container is 10.10.66.66
- redirect traffic to 10.10.66.66:22
It is not possible for me to assign public IP address to each container.
Possible solutions I figured out:
Easy one - forget about global port 22 and use port matching particular user. For example ahes would have port 6666. Then redirect traffic with simple iptables rule: server.com:6666 => 10.10.66.66:22. Disadvantage is that in some places ports other than 22/80/443 are blocked.
use ForceCommand directive in sshd on parent server:
Match Group users
ForceCommand /usr/local/bin/ssh.sh
ssh.sh script:
#!/bin/bash
# ...some logic here to find user IP address
# run ssh
exec ssh $USER@$IP $SSH_ORIGINAL_COMMAND
This solution is almost good but I didn't find a way to make sftp working with this configuration.
The other consideration is that I cannot dig into protocol because encryption is done before any data identifying user is sent. Futhermore I don't really have skills to hack sshd source code and keeping parent server with original packages is very desirable for security reasons.
I also found libpam-nufw package used for authentication on connection level (iptables) but I think it is for other purposes.
I would appreciate any clues. Thank you.
Answer
Set an HTTP proxy listening at port 443 and enable forwarding connections to port 22 at the internal LXC IPs. Then, when using ssh/sftp clients, use the ProxyConnect option combined with netcat/socat/proxytunnel/whatever.
Another common solution is to set up an SSH gateway (for instance, a dedicated LXC on the same box). Users connect there first and then to their LXC instance.
No comments:
Post a Comment