Good evening,
I'm currently trying to get my hands a bit more deeper into linux then im familiar with.
Lets get straight to my problem:
First, lets talk about my setup.
I have 3 servers, with each having a public IP.
Each server is part of a VLAN.
Server #1 (vlan 10.0.0.2) is not protected by a firewall.
Server #2 (vlan 10.0.0.3) and Server #3 (vlan 10.0.0.4) are completely blocked of from the internet and can only be accessed from the vlan.
Server #2 runs a KeyCloak container. However, this is irrelevant to the problem.
Server #3 should serve as my git server.
Normally I would just create a git user, link the authorized_keys file with the one of my GitLab container. Each public key would be prefixed with a command, which would then pass the connection to the ssh deamon inside the container.
But since Server #3 is not publicly accessible, I need to accept the incoming ssh connection on Server #1.
I created a git user and started to think how I can overcome this problem.
I thought about two ways I could handle it.
- Allow the
git user to be accessed without a password and open a connection to [email protected] (does this work? Does the client ssh-agent work in this case? Could an attacker get out of the internal ssh connection and do stuff on Server #1?)
- Server #3 connects regularly to Server #1 and updates the
authorized_keys file (then I would have to write a second script at the command location, which would then open the connection to Server #3. This would be slower, because the user has to wait till Server #3 syncs with Server #1)
