Forwarding incoming ssh connections to virtual machine based on LDAP group

My Question is as follows:

How can I forward all incoming SSH (Port 22) traffic (except one account) to a VM which is running on this server?

The Server is based on Proxmox VE 3.1
The VM is Debian 7 with group-based LDAP-auth

Goal is, to forward members of the LDAP-group “login” to the VM, while special accounts (e.g. administrator) log in on the physical machine (so they don’t get forwarded). The User should ideally not “know” about the physical machine, that means without the use of special ports. The server should be able to decide if a user logs in on the physical or the VM.

Is that possible?

Best Regards 😉


To be more specific: The user should not have a /home/ dir on the host machine. A legitimate user should be redirected directly to the Login-VM, without logging in first on the VM-Host.

The proposed solution via ssh’s ForceCommand works, but (if don’t want to allow the connection everytime because of no known_hosts file) needs to have a home dir on the VM-Host. I hope that clears things up.


I think that setting ForceCommand in sshd_config, combined with either Match User or a proxy script to route connections, is what you want. See the answer at Username based SSH proxy.

Source : Link , Question Author : Mat Fluor , Answer Author : Community

Leave a Comment