Table of contents

Route ssh git user to a specific container

%3 cluster_aa01390b_bd42_4b9f_bc8b_66130c769fa6 Route ssh git user to a specific container cluster_a03ac451_b99f_4a85_93a5_77f95ff5c28a Installing and configuring sshpiper cluster_0824ae91_c37e_4e3c_9aa2_a3ef938b62b2 Workdir files _e12da987_18c6_473c_a353_e239d90dda6c Software used _a5aef7b1_80de_4d92_a68f_f207a706f8c2 Running the piper _fbabfe28_28fc_44fe_8054_eb141a97bcf5 Final result _809b95c2_078d_45d0_a73b_8e39eb97e0a1 Authorized keys _34738988_db1c_4ae1_8ba5_66b31dd9b558 id_rsa _97442a41_0b7a_4d18_91c7_baa80960bf7a sshpiper_upstream _123f3921_366e_4df0_a930_2565ccd7370a Installation _3fbf12bd_c40e_41b0_963a_63cc9b5b4c5e Base configuration _c2680402_2f06_417d_b601_aa6ab43ba85d Configuring the host ssh in a different port _5a895a21_132a_44e3_8105_1f6f0c094bc2 Systems Administration __0:cluster_aa01390b_bd42_4b9f_bc8b_66130c769fa6->_5a895a21_132a_44e3_8105_1f6f0c094bc2

Maybe you have a server which is hosting a git service, and you want to be able to use port 22 for accessing the server ssh while also being able to use ssh keys to push to git (without further configuration). Let's see how can we do this.

Configuring the host ssh in a different port

sshpiper will take the connection on port 22, so let's move the server's openssh service to another port.

Edit /etc/ssh/sshd_config, look for a like line Port 22 (or create it) and chage it to Port 1022, then run systemctl reload sshd.

Even after this operation the connection should still be open, but from here on, and until the sshpiper is configured we'll have to connect to our server pointing to that port, with ssh -p 1022 user@server.

Installing and configuring sshpiper

First things first, you'll make a program handle the authentication of one (or several) of your servers, right? So you really should take a look at how sshpiper works to at least have a general understanding. There's no hurry, I'll be here when you finish.

Installation

Install golang, on debian-derived distros: sudo apt install golang(and configure golang)

Download and install tg123's sshpiper

go get github.com/tg123/sshpiper/sshpiperd
  go install github.com/tg123/sshpiper/sshpiperd

Base configuration

We'll create a workdir directory, in there we'll define the following rules:

Incoming Outgoing user@server:port
root root@localhost:1022
gitea gitea@git.server:22

For this, create a directory piper-workdir (can be any name) and create a directory inside for each accepted user:

  $ tree piper-workdir/
  piper-workdir/
  ├── gitea
  └── root

  2 directories, 0 files

Ok, now we'll have to fill this directories with some files, to understand why this files are needed we have to keep in mind howsshpiper works. After this is setup, the connections will flow like this

  Client       SSH piper
     1.
  -->-------->-| Receives connection, decodes it (needed to know the user)
               | And reencodes it, sending it again
               |       2.
               |--------->---------->-------->---------> Final server

Keep in mind that in this schema, the sshpiper server can read when goes through it! (And can record it if launched with--record_typescript).

Workdir files

So, having the previous in mind (and with the goal of a public-key based authentication), each user directory on the workdir needs 4 files:

  • sshpiper_upstream: Information about where to make the connection to.

  • authorized_keys: To allow authentication with that user based on a SSH public key.

  • id_rsa & id_rsa.pub: A SSH public/private key pair for the second part of the communication.

sshpiper_upstream

This file only requires a single non-empty line with the following syntax, pointing to the server where the communication will be forwarded:

  [user@]upstream-server[:22]

The default user will be the one that made the original connection, and the default port 22 (the default SSH one).

Comment lines can be added starting them with #.

For example, the sshpiper_upstream file for root might be

# Pipe the root user to the local server (now on port 1022)
  root@localhost:1022

Authorized keys

A list of the public keys that are allowed to use that user, you can obtain one for the key in your local machine doing

cat ~/.ssh/id_rsa.pub

(If that command fails, run ssh-keygen before).

New keys can be appended at the end of the file, just adding a line jump between different keys.

id_rsa

A public/private SSH key pair, can be generated like this

  ssh-keygen -f workdir/USER/id_rsa

Keep in mind that the id_rsa.pub on will have to be added to the~/.ssh/authorized_keys of the target machine. This is unless it has another way to add the keys, like git web interfaces (github, gitlab, gitea, ...)

Final result

The final result should be something like this

  $ tree piper-workdir/
  piper-workdir/
  ├── gitea
  │   ├── authorized_keys
  │   ├── id_rsa
  │   ├── id_rsa.pub
  │   └── sshpiper_upstream
  └── root
      ├── authorized_keys
      ├── id_rsa
      ├── id_rsa.pub
      └── sshpiper_upstream

  2 directories, 8 files

Running the piper

After this step is completed, only remains to launch sshpiper, this can be done like

$GOPATH/bin/sshpiperd -p 22 -w piper-workdir/
  SSHPiper ver: DEV by Boshi Lian<farmer1992@gmail.com>
  https://github.com/tg123/sshpiper

  go runtime  : go1.7.4
  git hash    : 0000000000

  Listening             : 0.0.0.0:22
  Server Key File       : /etc/ssh/ssh_host_rsa_key
  Working Dir           : piper-workdir/
  Additional Challenger :
  Logging file          : stdout

  2018/02/07 00:50:49 SSHPiperd started
  ...