We have a remote Xen server running a lot of guest machines (on Linux), with only a couple of IPs available.
Each guest machine should be directly accessible by the SSH from the outer world.
Right now we assign a separate domain name to each guest machine, pointing to one of the few available IPs. We also assign a port number to that guest machine.
So, to access machine named foo
, one should do as follows:
$ ssh foo.example.com -p 12345
...And to access machine named bar
:
$ ssh bar.example.com -p 12346
Both foo.example.com
and bar.example.com
point to the same IP.
Is it possible to somehow get rid of custom ports in this configuration and configure SSH server, listening at that IP (or firewall or whatever on server side), so it would route the incoming connection to the correct guest machine, based on the domain address, so that following works as intended?
$ ssh foo.example.com hostname # prints foo
$ ssh bar.example.com hostname # prints bar
Note that I do know about .ssh/config
and related client-side configuration solutions, we're using that now. This question is specifically about a zero client configuration solution.
Answer
foo
/
Client ----- Xen server
\
bar
It sounds like SSH Gateway is what you're looking for.
Firstly, create 2 new users foo
, bar
on the Xen server:
Xen # useradd foo
Xen # useradd bar
Generate key pairs and copy public key to the foo-server
and bar-server
:
Xen # su - foo
Xen $ ssh-keygen
Xen $ ssh-copy-id -i ~/.ssh/id_rsa.pub foo-user@foo-server
(Do the same for bar
user)
Now, from the Xen server (SSH Gateway) you can login to the foo-server
and bar-server
without password prompt.
The next step is to let the Client
authenticate to the Xen server
with public key:
Client $ ssh-keygen
Client $ ssh-copy-id -i ~/.ssh/id_rsa.pub foo@Xen
and the final step is make Xen server
open a second connection to the corresponding internal server. Access to Xen, switch to foo
, open the ~/.ssh/authorized_keys
file and change:
ssh-rsa AAAAB3N...== user@clienthost
to:
command="ssh -t -t foo-user@foo-server" ssh-rsa AAAAB3N...== user@clienthost
The sample result:
$ ssh foo-user@Xen
Last login: Thu Nov 10 13:02:25 2011 from Client
$ id
uid=500(foo-user) gid=500(foo-user) groups=500(foo-user) context=user_u:system_r:unconfined_t
$ exit
logout
Connection to foo-server closed.
Connection to Xen closed.
$ ssh bar-user@Xen
Last login: Thu Nov 10 11:28:52 2011 from Client
$ id
uid=500(bar-user) gid=500(bar-user) groups=500(bar-user) context=user_u:system_r:unconfined_t
$ exit
logout
Connection to bar-server closed.
Connection to Xen closed.
No comments:
Post a Comment