Route ssh git user to a specific container
Maybe you have a server which is hosting a git service, and you want to be able to use port 22 for accessing the server ssh while also being able to use ssh keys to push to git (without further configuration). Let's see how can we do this.
Configuring the host ssh in a different port
sshpiper will take the connection on port 22, so let's move the server's
openssh service to another port.
/etc/ssh/sshd_config, look for a like line
Port 22 (or create it) and chage it to
Port 1022, then run
systemctl reload sshd.
Even after this operation the connection should still be open, but from here on, and until the
sshpiper is configured we'll have to connect to our server pointing to that port, with
ssh -p 1022 user@server.
Installing and configuring sshpiper
First things first, you'll make a program handle the authentication of one (or several) of your servers, right? So you really should take a look at how sshpiper works to at least have a general understanding. There's no hurry, I'll be here when you finish.
golang, on debian-derived distros:
sudo apt install golang (and configure golang)
Download and install tg123's sshpiper
go get github.com/tg123/sshpiper/sshpiperd go install github.com/tg123/sshpiper/sshpiperd
We'll create a workdir directory, in there we'll define the following rules:
| Incoming | Outgoing user@server:port | |----------|---------------------------| | root | root@localhost:1022 | | gitea | email@example.com:22 |
For this, create a directory
piper-workdir (can be any name) and create a directory inside for each accepted user:
$ tree piper-workdir/ piper-workdir/ ├── gitea └── root
2 directories, 0 files
Ok, now we'll have to fill this directories with some files, to understand why this files are needed we have to keep in mind how
sshpiper works. After this is setup, the connections will flow like this
Client SSH piper 1. -->-------->-| Receives connection, decodes it (needed to know the user) | And reencodes it, sending it again | 2. |--------->---------->-------->---------> Final server
Keep in mind that in this schema, the
sshpiper server can read when goes through it! (And can record it if launched with
So, having the previous in mind (and with the goal of a public-key based authentication), each user directory on the workdir needs 4 files:
sshpiper_upstream: Information about where to make the connection to.
authorized_keys: To allow authentication with that user based on a SSH public key.
idrsa.pub: A SSH public/private key pair for the second part of the communication.
This file only requires a single non-empty line with the following syntax, pointing to the server where the communication will be forwarded:
The default user will be the one that made the original connection, and the default port
22 (the default SSH one).
Comment lines can be added starting them with
For example, the
sshpiper_upstream file for root might be
# Pipe the root user to the local server (now on port 1022) root@localhost:1022
A list of the public keys that are allowed to use that user, you can obtain one for the key in your local machine doing
(If that command fails, run
New keys can be appended at the end of the file, just adding a line jump between different keys.
A public/private SSH key pair, can be generated like this
ssh-keygen -f workdir/USER/id_rsa
Keep in mind that the
id_rsa.pub on will have to be added to the
~/.ssh/authorized_keys of the target machine. This is unless it has another way to add the keys, like git web interfaces (github, gitlab, gitea, ...)
The final result should be something like this
$ tree piper-workdir/ piper-workdir/ ├── gitea │ ├── authorized_keys │ ├── id_rsa │ ├── id_rsa.pub │ └── sshpiper_upstream └── root ├── authorized_keys ├── id_rsa ├── id_rsa.pub └── sshpiper_upstream
2 directories, 8 files
Running the piper
After this step is completed, only remains to launch
sshpiper, this can be done like
$GOPATH/bin/sshpiperd -p 22 -w piper-workdir/ SSHPiper ver: DEV by Boshi Lian<firstname.lastname@example.org> https://github.com/tg123/sshpiper
go runtime : go1.7.4 git hash : 0000000000
Listening : 0.0.0.0:22 Server Key File : /etc/ssh/ssh hostrsa_key Working Dir : piper-workdir/ Additional Challenger : Logging file : stdout
2018/02/07 00:50:49 SSHPiperd started ...