[CLIENT] --> [FRONT-END SSH-SERVER] --> [BACK-END GIT SSH-SERVER]

On Git back-end server

Create the keys for your users as usual (in this example, we assume Gitlab, so the web interface is enough)

Go to the file /var/opt/gitlab/.ssh/authorized_keys and copy all entries. An example of the contents of this file with two users could be:

command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-1",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3Nz...rbR6L75887 user1@gmail.com
command="/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell key-2",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1...hVE/141 user2@hotmail.com


On front-end (intermediate) server

Create the user git, and create and edit the .ssh/authorized_keys file.
sudo adduser git
su git
mkdir .ssh
touch ./ssh/authorized_keys && chmod 700 .ssh/authorized_keys


Paste the contents of the file, but by replacing the “command” in each entry with this content:

command="ssh git@backend-server $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3Nz...rbR6L75887 user1@gmail.com
command="ssh git@backend-server $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzaC1...hVE/141 user2@hotmail.com


On client machine

Create or edit your .ssh/config file by adding the following entry:
host frontend-server-name.com
hostname frontend-server-name.com
user git
identityfile /home/user1/.ssh/id_rsa
ForwardAgent yes

The important element here is ForwardAgent which allows the intermediate server to use our key when login via ssh to the backend server. You may need to add the key explicity to the SSH agent via:

ssh-add /home/user1/.ssh/id_rsa