Thursday, December 12, 2019

linux - "Virtual hosts" for SSH




We have a remote Xen server running a lot of guest machines (on Linux), with only a couple of IPs available.




Each guest machine should be directly accessible by the SSH from the outer world.



Right now we assign a separate domain name to each guest machine, pointing to one of the few available IPs. We also assign a port number to that guest machine.



So, to access machine named foo, one should do as follows:




$ ssh foo.example.com -p 12345



...And to access machine named bar:




$ ssh bar.example.com -p 12346


Both foo.example.com and bar.example.com point to the same IP.



Is it possible to somehow get rid of custom ports in this configuration and configure SSH server, listening at that IP (or firewall or whatever on server side), so it would route the incoming connection to the correct guest machine, based on the domain address, so that following works as intended?





$ ssh foo.example.com hostname # prints foo
$ ssh bar.example.com hostname # prints bar


Note that I do know about .ssh/config and related client-side configuration solutions, we're using that now. This question is specifically about a zero client configuration solution.


Answer



                         foo  
/
Client ----- Xen server

\
bar


It sounds like SSH Gateway is what you're looking for.



Firstly, create 2 new users foo, bar on the Xen server:



Xen # useradd foo
Xen # useradd bar



Generate key pairs and copy public key to the foo-server and bar-server:



Xen # su - foo
Xen $ ssh-keygen
Xen $ ssh-copy-id -i ~/.ssh/id_rsa.pub foo-user@foo-server


(Do the same for bar user)




Now, from the Xen server (SSH Gateway) you can login to the foo-server and bar-server without password prompt.



The next step is to let the Client authenticate to the Xen server with public key:



Client $ ssh-keygen
Client $ ssh-copy-id -i ~/.ssh/id_rsa.pub foo@Xen


and the final step is make Xen server open a second connection to the corresponding internal server. Access to Xen, switch to foo, open the ~/.ssh/authorized_keys file and change:




ssh-rsa AAAAB3N...== user@clienthost


to:



command="ssh -t -t foo-user@foo-server" ssh-rsa AAAAB3N...== user@clienthost


The sample result:




$ ssh foo-user@Xen
Last login: Thu Nov 10 13:02:25 2011 from Client
$ id
uid=500(foo-user) gid=500(foo-user) groups=500(foo-user) context=user_u:system_r:unconfined_t
$ exit
logout

Connection to foo-server closed.
Connection to Xen closed.






$ ssh bar-user@Xen
Last login: Thu Nov 10 11:28:52 2011 from Client
$ id
uid=500(bar-user) gid=500(bar-user) groups=500(bar-user) context=user_u:system_r:unconfined_t
$ exit
logout


Connection to bar-server closed.
Connection to Xen closed.

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...