Maybe my question is a bit silly, however here is my problem. I'm building a IoT network with different devices. Each device can be accessed through SSH. However, they are all behind my OpenWRT router.
Is there a way to SSH into the public IP. When OpenWRT check the request with a specific user it redirects to the internal IP? In other words, is it possible to port forward 22 according to the user?
ssh john at openwrt_public_ip -> John at 192.168.1.100
ssh michael at openwrt_public_ip -> michael at 192.168.1.101
ssh jessy at openwrt_public_ip -> jessy at 192.168.1.102
My problem is that I have multiple users accessing their devices and I'm having lot of trouble creating port variations for each device.
John at 192.168.1.100 -p 2221
michael at 192.168.1.101 -p 2222
jessy at 192.168.1.102 -p 2223
One challenge is that the user name is not revealed to intermediate hosts, only to the target host, so "strictly speaking", you can't switch at a router based on the user name.
You potentially could do something with OpenSSH (man ssh_config and look at host matching and things like ProxyJump) and/or binding commands instead of a shell (the user "logs in" to the OpenWrt ssh server, which then runs an ssh command, instead of a shell).
I have used ssh extensively to tunnel and proxy connections in the past, these days I'd just install a VPN server (strongswan, wireguard, openvpn) and use that instead.
Not too many closely related references (and none that I know of that address this directly), as it seems far too fragile and complex a solution to a use case that isn't clear to me.
The challenge is that user names are intended for authentication at the destination host, not for routing along the way. It seems a lot easier to tell john that he should use ssh -p 100 john@example.com to get to "his" device, than it would be to implement some seemingly crazy hack to create two SSH sessions automatically, just to extract a user name.
Putting each destination device on its own VLAN would be an approach (with appropriate firewalling). Even limiting ssh access from the outside doesn’t prevent Target 1 from being used as a jump point to Target 2 without something between the two that restricts access.