Have sshd forward logins of git user to a (GitLab) Docker container

I would like to configure sshd on my host machine to forward public key logins of a certain user to a Docker container that runs its own sshd service.

To give some context, I have GitLab running in a Docker container and I dislike opening another port on the host machine for the SSH GitLab communication but instead have sshd on the host machine redirect user and key directly to the port the GitLab exposes on the local machine.

  • Multiple storage drivers panic in private registry
  • Ansible docker_container 'no Host in request URL', docker pull works correctly
  • Error while Creating Docker Container in Azure with ASP.NET Core
  • Docker cloning - permission denied
  • How to setup xdebug and PhpStorm with docker for Windows (beta)
  • Permissions issue with Docker and Mac OSX
  • My idea is to do something like this:

    Match User git
      ForceCommand ssh -p <GitLab port> <some arguments that forward to> git@localhost

    Help is greatly appreciated!

  • Artifactory Professional License - NFS
  • Get Docker Container Names
  • Kubernetes : hostname regex failed
  • Docker container doesn't expose ports when --net=host is mentioned in the docker run command
  • Exposing a port on a live Docker container
  • Rails app in docker container doesn't reload in development
  • 3 Solutions collect form web for “Have sshd forward logins of git user to a (GitLab) Docker container”

    I found a simple workaround to this. Just create a Git user on the host machine and provide a proxy script that executes the given Git commands in the GitLab container using the host’s SSH daemon and the .ssh/authorized_keys from the container volume.

    1. On the host machine, add the user git using the same UID & GID as in the GitLab docker container (998) and set your GitLab data directory as the user’s home:

      useradd -u 998 -s /bin/bash -d /your/gitlab/path/data git
    2. Add the git user to the docker group

      usermod -G docker git
    3. Add a proxy script /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell on the host machine with the following contents:

      docker exec -i -u git <your_gitlab_container_id> sh -c "SSH_CONNECTION='$SSH_CONNECTION' SSH_ORIGINAL_COMMAND='$SSH_ORIGINAL_COMMAND' $0 $1"

    What you are proposing would make the users required to authenticate twice. Once with your server and for the second time to your gitlab in docker, which is basically something you don’t want.

    When you mention public key authentication, it would require to share the authorized keys file or command from your gitlab with your host machine somehow.

    I believe it is possible, but much easier is to open that port.

    From the client side, you can do the same with ProxyCommand like this:

    Hostname your-gitlab
      ProxyCommand ssh -W localhost:<GitLab port> git@your-git-host

    Another (untested) possibility could be that you forward the connection from the host into the container by adding it to the authorized_keys file of the git user as such:

    command="nc -q0 gitlab 22" ssh-rsa AAAAB....[REST OF YOUR PUBKEY]

    The git user should be created on the host machine. now when you connect with “ssh git@host”, this connection should be forwarded with “nc” to the gitlab container.

    Obviously that also requires to have all the gitlab ssh keys copied with the command prefix to the host machine

    However this works only if the gitlab container is not in an isolated network and the host container has actually the possibility to connect to the gitlab port 22.

    In my setup, this did not work since gitlab is in an isolated network, so I ended up running gitlab ssh on another port:

    • Start the container with -p 20022:22
    • add gitlab_rails['gitlab_shell_ssh_port'] = 20022 to your gitlab.rb config
    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.