0

I want to make available a pool of dev machines to a pool of developers, where each developer should only access its own dev machine. Dev machines are on a private network, behind a NAT, whereas developers are on the DMZ.

I'd want to implement a solution in which:

  • users connect via ssh (X forwarding included) to the NAT public interface, which in turn forwards the request to an Access Control machine (basically a proxy);
  • the AC machine forwards the connection to the right dev machine, depending on a configurable policy.

Clearly, users should neither know about target machine name or IP nor guess the network structure. They should only initiate an SSH connection without any client-side special configuration (this prevents the use of ProxyCommand).

How can I implement such a solution?

Jules
  • 1
  • Multi-hop SSH is one way to do this. For example: http://unix.stackexchange.com/questions/108085/run-x-clients-over-multi-hop-ssh-tunnel – Brian Oct 14 '14 at 17:42
  • I'm pretty sure it is impossible to satisfy all of your requests. But if you leave out some of the requirements, then there are some possibilities: http://serverfault.com/a/610971/214507 http://serverfault.com/a/608526/214507 – kasperd Oct 14 '14 at 18:34

1 Answers1

-1

I've answered this before. See here: 

http://serverfault.com/questions/516799/proxy-ssh-to-hide-endpoints/516800
mc0e
  • 5,786
  • 17
  • 31