Create a SSH gateway for Git SSH backends

This post shows how to connect to a Gitlab (or any Git SSH server) private server via SSH through a front-end public server you own.

[CLIENT] --> [FRONT-END SSH-SERVER] --> [BACK-END GIT SSH-SERVER]

On Git back-end server

Create the keys for your users as usual (in this example, we assume Gitlab, so the web interface is enough)

Go to the file /var/opt/gitlab/.ssh/authorized_keys and copy all entries. An example of the contents of this file with two users could be:

command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3Nz...rbR6L75887 user1@gmail.com
command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-2",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1...hVE/141 user2@hotmail.com

On front-end (intermediate) server

Create the user git, and create and edit the .ssh/authorized_keys file.
sudo adduser git
su git
mkdir .ssh
touch ./ssh/authorized_keys && chmod 700 .ssh/authorized_keys

Paste the contents of the file, but by replacing the “command” in each entry with this content:

command="ssh git@backend-server $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3Nz...rbR6L75887 user1@gmail.com
command="ssh git@backend-server $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzaC1...hVE/141 user2@hotmail.com

On client machine

Create or edit your .ssh/config file by adding the following entry:
host frontend-server-name.com
hostname frontend-server-name.com
user git
identityfile /home/user1/.ssh/id_rsa
ForwardAgent yes

The important element here is ForwardAgent which allows the intermediate server to use our key when login via ssh to the backend server. You may need to add the key explicity to the SSH agent via:

ssh-add /home/user1/.ssh/id_rsa

Deja un comentario