Geek Answers Handbook

Have sshd for git user login for Docker container (GitLab)

I would like to configure sshd on my host machine to forward the public key logins of a specific user to the Docker container, which starts its own sshd service.

To give some context, I have GitLab running in a Docker container and I don’t like opening another port on the host machine for GitLab SSH communication, but instead sshd on the host machine redirects the user and key directly to the port that GitLab provides to local machine.

My idea is to do something like this:

Match User git ForceCommand ssh -p <GitLab port> <some arguments that forward to> git@localhost ...

Help is greatly appreciated!

+7
git gitlab docker ssh sshd
source share
4 answers

I found a simple workaround. Just create a Git user on the host machine and provide a proxy script that executes the given Git commands in the GitLab container using the SSH host daemon and .ssh/authorized_keys from the container volume.

  • On the host machine, add the git user using the same UID and GID as in the docker GitLab container (998), and set your GitLab data directory as the user's home:

     useradd -u 998 -s /bin/bash -d /your/gitlab/path/data git

  • Add git user to git group

     usermod -G docker git

  • Add the proxy server script /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell on the host machine with the following contents:

     #!/bin/bash docker exec -i -u git <your_gitlab_container_id> sh -c "SSH_CONNECTION='$SSH_CONNECTION' SSH_ORIGINAL_COMMAND='$SSH_ORIGINAL_COMMAND' $0 $1"
+6
source share

What you offer will force users to double authenticate. Once with your server and a second time to your gitlab in docker, which is basically what you don't need.

When you mention public key authentication, this will require sharing the file or command of authorized keys from your gitlab with your main machine.

I think this is possible, but it is much easier to open this port.

On the client side, you can do the same with ProxyCommand as follows:

 Hostname your-gitlab ProxyCommand ssh -W localhost:<GitLab port> git@your-git-host
+1
source share

Another (unchecked) possibility may be that you are forwarding the connection from the host to the container, adding it to the git user authorized_keys file as such:

 command="nc -q0 gitlab 22" ssh-rsa AAAAB....[REST OF YOUR PUBKEY]

The git user must be created on the host machine. now when you connect to "ssh git @host", this connection should be redirected using "nc" to the gitlab container.

Obviously, it is also required that all ssh gitlab keys copied with the command prefix to the host machine

However, this only works if the gitlab container is not on an isolated network, and the host container has the ability to connect to gitlab 22 port.

In my setup, this did not work, since gitlab is on an isolated network, so I ended up gitlab ssh on a different port:

  • Run the container using -p 20022:22
  • add gitlab_rails['gitlab_shell_ssh_port'] = 20022 to the gitlab.rb configuration
0
source share

I am trying to push my git repositories through my host into a docker machine. I played a little with the ForceCommand option. This works for me;)

 Match User git ForceCommand ssh git@localhost -p 9022 $SSH_ORIGINAL_COMMAND
0
source share

More articles:


All Articles