Have sshd forward logins of git user to a (GitLab) Docker container

Question

I would like to configure sshd on my host machine to forward public key logins of a certain user to a Docker container that runs its own sshd service.

To give some context, I have GitLab running in a Docker container and I dislike opening another port on the host machine for the SSH GitLab communication but instead have sshd on the host machine redirect user and key directly to the port the GitLab exposes on the local machine.

My idea is to do something like this:

Match User git
  ForceCommand ssh -p <GitLab port> <some arguments that forward to> git@localhost
  ...

Help is greatly appreciated!

Answer 1

I found a simple workaround to this. Just create a Git user on the host machine and provide a proxy script that executes the given Git commands in the GitLab container using the host's SSH daemon and the .ssh/authorized_keys from the container volume.

1. On the host machine, add the user git using the same UID & GID as in the GitLab docker container (998) and set your GitLab data directory as the user's home:

   useradd -u 998 -s /bin/bash -d /your/gitlab/path/data git
   

2. Add the git user to the docker group

   usermod -G docker git
   

3. Add a proxy script /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell on the host machine with the following contents:

   #!/bin/bash
   docker exec -i -u git <your_gitlab_container_id> sh -c "SSH_CONNECTION='$SSH_CONNECTION' SSH_ORIGINAL_COMMAND='$SSH_ORIGINAL_COMMAND' $0 $1"