Home / server / Questions / 329529
Accepted
Alexander Gladysh
Asked: 2011-11-10 15:10:31 +0800 CST

"Virtual hosts" for SSH [duplicate]

  • 772

We have a remote Xen server running a lot of guest machines (on Linux), with only a couple of IPs available.

Each guest machine should be directly accessible by the SSH from the outer world.

Right now we assign a separate domain name to each guest machine, pointing to one of the few available IPs. We also assign a port number to that guest machine.

So, to access machine named foo, one should do as follows:

$ ssh foo.example.com -p 12345

...And to access machine named bar:

$ ssh bar.example.com -p 12346

Both foo.example.com and bar.example.com point to the same IP.

Is it possible to somehow get rid of custom ports in this configuration and configure SSH server, listening at that IP (or firewall or whatever on server side), so it would route the incoming connection to the correct guest machine, based on the domain address, so that following works as intended?

$ ssh foo.example.com hostname # prints foo
$ ssh bar.example.com hostname # prints bar

Note that I do know about .ssh/config and related client-side configuration solutions, we're using that now. This question is specifically about a zero client configuration solution.

linux ssh

4 Answers

  1. Best Answer
                             foo  
                        /
Client ----- Xen server
                        \
                         bar

    It sounds like SSH Gateway is what you're looking for.

    Firstly, create 2 new users foo, bar on the Xen server:

    Xen # useradd foo
Xen # useradd bar

    Generate key pairs and copy public key to the foo-server and bar-server:

    Xen # su - foo
Xen $ ssh-keygen
Xen $ ssh-copy-id -i ~/.ssh/id_rsa.pub foo-user@foo-server

    (Do the same for bar user)

    Now, from the Xen server (SSH Gateway) you can login to the foo-server and bar-server without password prompt.

    The next step is to let the Client authenticate to the Xen server with public key:

    Client $ ssh-keygen
Client $ ssh-copy-id -i ~/.ssh/id_rsa.pub foo@Xen

    and the final step is make Xen server open a second connection to the corresponding internal server. Access to Xen, switch to foo, open the ~/.ssh/authorized_keys file and change:

    ssh-rsa AAAAB3N...== user@clienthost

    to:

    command="ssh -t -t foo-user@foo-server" ssh-rsa AAAAB3N...== user@clienthost

    The sample result:

    $ ssh foo-user@Xen
Last login: Thu Nov 10 13:02:25 2011 from Client
$ id
uid=500(foo-user) gid=500(foo-user) groups=500(foo-user) context=user_u:system_r:unconfined_t
$ exit
logout

Connection to foo-server closed.
Connection to Xen closed.

    $ ssh bar-user@Xen
Last login: Thu Nov 10 11:28:52 2011 from Client
$ id
uid=500(bar-user) gid=500(bar-user) groups=500(bar-user) context=user_u:system_r:unconfined_t
$ exit
logout

Connection to bar-server closed.
Connection to Xen closed.
    • 12

  2. Yes, it is possible, but I know of no SSH server or proxy that supports it. You can't use the syntax you suggest though. You'd have to encode the desired host in the user name. For example ssh -u jsmith@foo foo.example.com. The foo.example.com just gives the IP address. The master SSH server running on port 22 would have to 'route' based on what comes after the @ in the user name.

    • 2

  3. As a solution you can use a bonjour, uPNP, DNS/srv based ssh client/wrapper and advertise the services via those protocols. See: http://eric.windisch.us/software/zerossh/

    • 1

  4. This crossed my mind a couple years ago, but it seemed like the answer was no.

    • 0