Have sshd forward logins of git user to a (GitLab) Docker container

I would like to configure sshd on my host machine to forward public key logins of a certain user to a Docker container that runs its own sshd service.

To give some context, I have GitLab running in a Docker container and I dislike opening another port on the host machine for the SSH GitLab communication but instead have sshd on the host machine redirect user and key directly to the port the GitLab exposes on the local machine.

  • Error when pushing docker image to registry in Jenkinsfile
  • Use Docker to compile and run untrusted code in Django App [closed]
  • How to create docker containers with the same internal IP address?
  • Windows 7 jupyter notebook executing tensorflow
  • Database Fails to Start - Host Directory as a Data Volume
  • Docker image larger than its filesystem
  • My idea is to do something like this:

    Match User git
      ForceCommand ssh -p <GitLab port> <some arguments that forward to> git@localhost
      ...
    

    Help is greatly appreciated!

  • Docker image size
  • docker - write pipe: bad file descriptor
  • Installing Docker on an isolated (no internet) Centos 7 box?
  • how can I set the working directory in old version of docker in the run command?
  • Redis server does not start after install in Docker
  • How to prevent access to docker socket form within a container
  • 3 Solutions collect form web for “Have sshd forward logins of git user to a (GitLab) Docker container”

    I found a simple workaround to this. Just create a Git user on the host machine and provide a proxy script that executes the given Git commands in the GitLab container using the host’s SSH daemon and the .ssh/authorized_keys from the container volume.

    1. On the host machine, add the user git using the same UID & GID as in the GitLab docker container (998) and set your GitLab data directory as the user’s home:

      useradd -u 998 -s /bin/bash -d /your/gitlab/path/data git
      
    2. Add the git user to the docker group

      usermod -G docker git
      
    3. Add a proxy script /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell on the host machine with the following contents:

      #!/bin/bash
      docker exec -i -u git <your_gitlab_container_id> sh -c "SSH_CONNECTION='$SSH_CONNECTION' SSH_ORIGINAL_COMMAND='$SSH_ORIGINAL_COMMAND' $0 $1"
      

    What you are proposing would make the users required to authenticate twice. Once with your server and for the second time to your gitlab in docker, which is basically something you don’t want.

    When you mention public key authentication, it would require to share the authorized keys file or command from your gitlab with your host machine somehow.

    I believe it is possible, but much easier is to open that port.

    From the client side, you can do the same with ProxyCommand like this:

    Hostname your-gitlab
      ProxyCommand ssh -W localhost:<GitLab port> git@your-git-host
    

    Another (untested) possibility could be that you forward the connection from the host into the container by adding it to the authorized_keys file of the git user as such:

    command="nc -q0 gitlab 22" ssh-rsa AAAAB....[REST OF YOUR PUBKEY]
    

    The git user should be created on the host machine. now when you connect with “ssh git@host”, this connection should be forwarded with “nc” to the gitlab container.

    Obviously that also requires to have all the gitlab ssh keys copied with the command prefix to the host machine

    However this works only if the gitlab container is not in an isolated network and the host container has actually the possibility to connect to the gitlab port 22.

    In my setup, this did not work since gitlab is in an isolated network, so I ended up running gitlab ssh on another port:

    • Start the container with -p 20022:22
    • add gitlab_rails['gitlab_shell_ssh_port'] = 20022 to your gitlab.rb config
    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.