Skip to end of metadata
Go to start of metadata

Contents

Introduction

Redirection, rewrite server for ssh connections.

When a request is received, the service path is checked against a set of rules defined in the configuration. When a rule match succeeds (for all match* options which are set for a rule), a new hostname value is generated. Any identifiers specified in the match* regular expressions can be used to generate the newhost value.

Configuration

SectionOptionValueDescription
rule.<name>matchgroupsregexpRegular expression to match groupname of connecting user.
matchhostsregexpRegular expression to match hostname part of service path of [<user>@]<hostname>[:<port>].
matchusersregexpRegular expression to match username of connecting user.
newhoststringString which can contain Python format settings for substitutions from values collected from match* regular expressions.

Usage

Service to redirect ssh based on hostname, username, group
membership.

/[<user>@]<hostname>[:<port>]/... <args>
    Connect to service ... at <user>@<host>:<port>.

Examples

Substitute Host

Create rule to match macha and return/substitute machb:

[rule.alias-macha-to-machb]
matchhosts=^macha$
newhost=machb

Test rule:

$ ruexec +/ssh/macha/+/exec/shell hostname
macha
$ ruexec +/rssh/macha/+/exec/shell hostname
machb

Create rule to force host machb for user in group abc:

[rule.route-for-group-abc]
matchgroups=abc
newhost=machb

Test rule (user in group xyz):

$ id -g
xyz
$ ruexec +/rssh/macha/+/exec/shell hostname

Test rule (use in group abc):

$ id -g
abc
$ ruexec +/rssh/macha/+/exec/shell hostname
machb
$ ruexec +/rssh/mynameisbill/+/exec/shell hostname
machb

Notes:

  • the hostname provided (e.g., machamynameisbill) is effectively ignored

Redirect to Host by Group

Create rule:

[rule.dept-cell-service]
matchgroups=(?P<dept>dfo|eccc|nrc)
matchhosts=(?P<host>gpsc-service|ppp-service)
newhost=%(dept)s-%(host)s

Test rule (assuming the gpsc-service exists):

$ ruexec +/rssh/macha/+/exec/shell hostname
macha
$ id -g
aafc
$ ruexec +/rssh/gpsc-service/+/exec/shell hostname
gpsc-service
$ id -g
dfo
$ ruexec +/rssh/gpsc-service/+/exec/shell hostname
dfo-gpsc-service
$ id -g
eccc
$ ruexec +/rssh/ppp-service/+/exec/shell hostname
eccc-ppp-service

Notes:

  • only hosts gpsc-service and ppp-service are handled
  • only groups dfoeccc, and nrc are supported
  • assumes that dfo-gpsc-serviceeccc-gpsc-service and nrc-gpsc-service exist
  • when there is no match, the original/provided hostname is used (e.g., machagpsc-service for group aafc)



  • No labels