I'm trying to mux between two ssh servers based on incoming username i.e.

ssh user1@testserver will go to one sshd instance and user2@testserver goes to another.

Can this be done?

  • 43
  • 1
  • 3
  • Just have everything go to one server, then setup a ForceCommand to connect to the other server? – Zoredache Jan 23 '14 at 06:15
  • ***WHY*** do you want to do this -- What actual, practical, real-world problem are you trying to solve? There is almost certainly a better solution than what you're suggesting. – voretaq7 Jan 24 '14 at 18:03
  • @voretaq7 - the question is old, but i've looking for the same. Not all is a better solution. A userbased proxy is a good idea, when you want to limit user access. Mostly, the configuration for limitations are hard to jail an user. – Adrian Preuss Aug 02 '17 at 04:51

3 Answers3


I think you can do this with ForceCommand, like:

ForceCommand proxyscript

in /etc/sshd/sshd_config. Here proxyscript would be a custom script that would ssh to whatever the next server should be, depending on which user is running it. The script would have enough information to do that because according to the man page for sshd_config, it will run under the user's login shell, so for example $USER will be available.

If you only have a small, fixed set of users who you want to do this for, then you can configure it all in sshd_config with for example

Match User user1
ForceCommand ssh user1@host1

Match User user2
ForceCommand ssh user2@host2

But I don't know if this would correctly hook up the standard out/in of the incoming connection to standard in/out of the new ssh command.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
  • Try `ForceCommand ssh -t user@host` ... see also AskUbuntu's [How can I redirect SSH users to another SSH login?](https://askubuntu.com/questions/649729/how-can-i-redirect-ssh-users-to-another-ssh-login) question. – Adam Katz Jul 22 '15 at 23:16
  • 1
    Is it possible to use this technique to proxy a git connection? I'm trying, but I don't know what to with public key. – Fabio Montefuscolo Jun 15 '16 at 13:32

This is quite nontrivial to do transparently (maybe tweak an SSH honeypot program to auto-login and then use ForceCommand to handle the proxy? sounds messy), but you could set up a proxy and instruct your users on how to use it easily enough.

This concept is called an SSH bastion host. No special software is needed on the proxy (the bastion). The only software the end users need access to is netcat (nc), so you could create a rather bare-bones jail for them if you wanted.

Each OS X / Linux / BSD / UNIX user would have an entry in their ~/.ssh/config file (on their local clients, not the bastion) that looks like this:

  ProxyCommand ssh BASTION nc -w 600 USER1_SERVER 22

Each user's config would only differ in the target server (e.g. USER1_SERVER), which is connected to on the local network by the bastion. (If user names differ, consider ProxyCommand ssh BASTION_USERNAME@BASTION nc -w 600 USER1_SERVER_USERNAME@USER1_SERVER 22.)

That's actually all there is to it. Now USER1 can run ssh MYSERVER. If not using SSH keys, USER1 will be prompted for a password to BASTION, then a password to the internal system USER1_SERVER. If using SSH keys, and USER1's public key is installed in both BASTION and USER1_SERVER, login will be automatic.

Windows users can do this through PuTTY by using plink (a part of PuTTY). Here is a guide.

If you want to tightly restrict the user on the bastion, you can do this:

Match User user1
  ForceCommand nc -w 600 USER1_SERVER 22

... though this does prevent user1 from managing their authorized_keys file on the bastion.

Adam Katz
  • 869
  • 8
  • 16

No. Everything in an ssh session is encrypted. How do you propose the proxy would be able to snoop on the username?

  • 108,414
  • 18
  • 172
  • 242
  • I was hoping the sshd instance could serve as the proxy! – Amaterasu Jan 23 '14 at 04:16
  • 1
    The proxy would have to admit the user locally and then proxy the connection to the internal system. **This is quite feasible** (see the other answers)! Alternatively, port forwarding (assuming consistent IP ranges unique to each proxied user) can do it without local access. – Adam Katz Jul 22 '15 at 23:46