Have sshd forward logins of git user to a (GitLab) Docker container

Question

I would like to configure sshd on my host machine to forward public key logins of a certain user to a Docker container that runs its own sshd service.

To give some conte

Answer 1

I found a simple workaround to this. Just create a Git user on the host machine and provide a proxy script that executes the given Git commands in the GitLab container using the host's SSH daemon and the .ssh/authorized_keys from the container volume.

1. On the host machine, add the user git using the same UID & GID as in the GitLab docker container (998) and set your GitLab data directory as the user's home:

   useradd -u 998 -s /bin/bash -d /your/gitlab/path/data git
   

2. Add the git user to the docker group

   usermod -G docker git
   

3. Add a proxy script /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell on the host machine with the following contents:

   #!/bin/bash
   docker exec -i -u git <your_gitlab_container_id> sh -c "SSH_CONNECTION='$SSH_CONNECTION' SSH_ORIGINAL_COMMAND='$SSH_ORIGINAL_COMMAND' $0 $1"
   

Answer 2

Another (untested) possibility could be that you forward the connection from the host into the container by adding it to the authorized_keys file of the git user as such:

command="nc -q0 gitlab 22" ssh-rsa AAAAB....[REST OF YOUR PUBKEY]

The git user should be created on the host machine. now when you connect with "ssh git@host", this connection should be forwarded with "nc" to the gitlab container.

Obviously that also requires to have all the gitlab ssh keys copied with the command prefix to the host machine

However this works only if the gitlab container is not in an isolated network and the host container has actually the possibility to connect to the gitlab port 22.

In my setup, this did not work since gitlab is in an isolated network, so I ended up running gitlab ssh on another port:

• Start the container with -p 20022:22
• add gitlab_rails['gitlab_shell_ssh_port'] = 20022 to your gitlab.rb config

Answer 3

I'm trying to push my git repos through my host into a docker machine. I played a little with the ForceCommand option. This works for me ;)

Match User git
  ForceCommand ssh git@localhost -p 9022 $SSH_ORIGINAL_COMMAND

Answer 4

What you are proposing would make the users required to authenticate twice. Once with your server and for the second time to your gitlab in docker, which is basically something you don't want.

When you mention public key authentication, it would require to share the authorized keys file or command from your gitlab with your host machine somehow.

I believe it is possible, but much easier is to open that port.

From the client side, you can do the same with ProxyCommand like this:

Hostname your-gitlab
  ProxyCommand ssh -W localhost:<GitLab port> git@your-git-host