I was wondering if anyone knew how to setup sftp connection forwarding.
What I mean by this is that a user tries to connect via sftp to a
remote server, say login.domain.com.  I want this server (the login
server) to then redirect the client to another server based on which
client it is.

For example, user1's files are on server1.domain.com and user2's files
are on server2.domain.com.  But if either of them connects to
login.domain.com, they will be forwared to their correct server
(server1 for user1 and server2 for user2).

I know something like this is possible, because my university did it -
I just have no idea where to start.

Any help would be greatly appreciated.
--Sachin

[ Post a follow-up to this message ]

intercom5 wrote:
> I was wondering if anyone knew how to setup sftp connection forwarding.
> What I mean by this is that a user tries to connect via sftp to a
> remote server, say login.domain.com.  I want this server (the login
> server) to then redirect the client to another server based on which
> client it is.
>
> For example, user1's files are on server1.domain.com and user2's files
> are on server2.domain.com.  But if either of them connects to
> login.domain.com, they will be forwared to their correct server
> (server1 for user1 and server2 for user2).

If user1 and user2 are connecting from known unique IP addresses, one
option would be to use address translation on an intermediate router or
firewall system. Destination traffic for port 22 could be translated
based on source address. This would certainly be possible using iptables
on Linux, or a cisco router. Here's a drawing of what I'm talking about :

user 1                                       server 1
192.168.1.3 -------|                    |----192.168.2.98
|                    |
|----Cisco router----|
user 2             |        (NAT)       |    server 2
192.168.1.4 -------|                    |----192.168.2.99


The cisco router (or Linux box) would sit between the clients and
servers, doing the address translation. Give login.domain.com an IP
address of, say, 192.168.2.97 (which is not associated with any
interface). The router has NAT rules which act as follows:

1. Packets from 192.168.1.3 to 192.168.2.97 port 22, translate
destination address to 192.168.2.98

2. Packets from 192.168.1.4 to 192.168.2.97 port 22, translate
destination address to 192.168.2.99

Obviously, this can be scaled up to a number of clients and servers as
required. Note, however, that if the IP addresses of user1 and user2 are
not known in advance, or are not static, it will be difficult to write
effective NAT rules.

andrew@lod.com

[ Post a follow-up to this message ]

intercom5 wrote:

> I was wondering if anyone knew how to setup sftp connection forwarding.
> What I mean by this is that a user tries to connect via sftp to a
> remote server, say login.domain.com.  I want this server (the login
> server) to then redirect the client to another server based on which
> client it is.
>
> For example, user1's files are on server1.domain.com and user2's files
> are on server2.domain.com.  But if either of them connects to
> login.domain.com, they will be forwared to their correct server
> (server1 for user1 and server2 for user2).
>
> I know something like this is possible, because my university did it -
> I just have no idea where to start.
>
> Any help would be greatly appreciated.
> --Sachin
>

One way we deal with non-fixed incoming IP addresses is to setup a Linux
box as an, in effect, SSH redirector with the logins on this server
governing which server it ultimately goes to.

IE login name billx, in the .profile he would be passed on to serverx
and the intermediate system would just drop to the background and
passively move SSH packets back and forth.

You can add any additional options needed, like perhaps allowing him to
choose which server out of a specific list he can move on to, additional
security questions etc. etc.

Make the Linux box fast and with tons of memory and the end user
wouldn't even notice the additional overhead even with relatively high
high user counts.

--
----------------------------------------------------
Pat Welch, UBB Computer Services, a WCS Affiliate
SCO Authorized Partner
Unix/Linux/Windows/Hardware Sales/Support
(209) 745-1401 Cell: (209) 251-9120
E-mail: patubb@inreach.com
----------------------------------------------------

[ Post a follow-up to this message ]