Is it possible to connect to different client via reverse SSH tunnel through different subdomain?

Question

So when you're using reverse SSH tunnel and you only have one client, it'll be simply enough to run ssh -R 1999:localhost:22 remote@server and then ssh -p 1999 localhost on the server. But how about you have multiple clients?

Is it possible to create a wildcard subdomain for SSH so the client can connect to a unified port like ssh -R 1999:localhost:22 remote@user1.server, ssh -R 1999:localhost:22 remote@user2.server and on the server we can access to different clients by ssh -p 1999 user1.server, ssh -p 1999 user2.server.

Answer 1

You cannot have multiple destinations proxied through a single ip+port connection, as SSH clients do not indicate which server they wish to speak to. What you suggest is certainly achievable (by assigning new addresses for each name) with significant administrative overhead.

But is is not probably not desirable. If everyone is supposed to connect to the forwarded machines through that server (called bastion) anyway, you got more options than just plain ports.

E.g., you can place the connections to the forwarded machines in a folder on the server:

ssh -R /minion/user1.example:localhost:22 user1.example@bastion.example
ssh -R /minion/user2.example:localhost:22 user2.example@bastion.example
# or even
ssh -R /minion/$(hostname -f):localhost:22 $(hostname -f)@bastion.example

As every socket is named after the server it is connected to, one config works for all:

Host *.example
  ProxyCommand ssh bastion.example netcat -U /chroot/minion/%h

And the command to use it looks clean & simple:

ssh user@user1.example
ssh user@user2.example

See man 5 ssh_config for an explanation on %h and %n, one of which you likely want to use. Also mind the StreamLocalBindUnlink option, as you do not want the setup to fail if sockets already exist.