Have sshd forward logins of git user to a (GitLab) Docker container
To give some context, I have GitLab running in a Docker container and I dislike opening another port on the host machine for the SSH GitLab communication but instead have sshd on the host machine redirect user and key directly to the port the GitLab exposes on the local machine.
My idea is to do something like this:
Match User git ForceCommand ssh -p <GitLab port> <some arguments that forward to> git@localhost ...
Help is greatly appreciated!
3 Solutions collect form web for “Have sshd forward logins of git user to a (GitLab) Docker container”
I found a simple workaround to this. Just create a Git user on the host machine and provide a proxy script that executes the given Git commands in the GitLab container using the host’s SSH daemon and the
.ssh/authorized_keys from the container volume.
On the host machine, add the user
gitusing the same UID & GID as in the GitLab docker container (998) and set your GitLab
datadirectory as the user’s home:
useradd -u 998 -s /bin/bash -d /your/gitlab/path/data git
gituser to the docker group
usermod -G docker git
Add a proxy script
/opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shellon the host machine with the following contents:
#!/bin/bash docker exec -i -u git <your_gitlab_container_id> sh -c "SSH_CONNECTION='$SSH_CONNECTION' SSH_ORIGINAL_COMMAND='$SSH_ORIGINAL_COMMAND' $0 $1"
What you are proposing would make the users required to authenticate twice. Once with your server and for the second time to your gitlab in docker, which is basically something you don’t want.
When you mention public key authentication, it would require to share the authorized keys file or command from your gitlab with your host machine somehow.
I believe it is possible, but much easier is to open that port.
From the client side, you can do the same with
ProxyCommand like this:
Hostname your-gitlab ProxyCommand ssh -W localhost:<GitLab port> git@your-git-host
Another (untested) possibility could be that you forward the connection from the host into the container by adding it to the authorized_keys file of the git user as such:
command="nc -q0 gitlab 22" ssh-rsa AAAAB....[REST OF YOUR PUBKEY]
The git user should be created on the host machine. now when you connect with “ssh git@host”, this connection should be forwarded with “nc” to the gitlab container.
Obviously that also requires to have all the gitlab ssh keys copied with the command prefix to the host machine
However this works only if the gitlab container is not in an isolated network and the host container has actually the possibility to connect to the gitlab port 22.
In my setup, this did not work since gitlab is in an isolated network, so I ended up running gitlab ssh on another port:
- Start the container with
gitlab_rails['gitlab_shell_ssh_port'] = 20022to your gitlab.rb config