# ssh by name through single public IP to jail



## idownes (May 17, 2011)

Hello all,

I'd like to have ssh access to a bunch of jails by using just a user name and going through a *single* public IP. This question has been raised before (see below) but there didn't seem to be any consensus on the best way to do it.

What is the best way to accomplish this?

My current thought is a single sshd running on the host and then using ForceCommand to jexec into the appropriate jail based on the name?

Or, something else? I don't want to use non-standard port numbers and I don't have separate, public IPs for each jail. I'm running 8.2 release.

Does anyone know how nearlyfreespeech.net does their ssh access to jails? e.g. user_name@phx.ssh.nearlyfreespeech.net goes into a jail, populated with your files.

http://forums.freebsd.org/showthread.php?t=14208


----------



## pbd (May 23, 2011)

idownes said:
			
		

> My current thought is a single sshd running on the host and then using ForceCommand to jexec into the appropriate jail based on the name?



I think that can work. Did you try it? Any problem?


----------



## idownes (May 24, 2011)

Yes, the basic idea works just fine. One approach is to match by a group, something like below in /etc/ssh/sshd_config:


```
Match Group jail_users
ForceCommand jailme $USER login -f $USER
```

However, I'm probably going to do it a slightly different way and use a command in the authorized_keys of a shared account. This is how others have approached it, e.g. see gitolite on github, in particular this page:
http://sitaramc.github.com/gitolite/doc/gitolite-and-ssh.html


----------

