I have a default lxd 5.0.0 setup with separate zfs partition en ubuntu 22.04 server and container, and I can ssh into the container.
Auth.log in the container contains messages like:
Aug 19 10:38:52 ub sshd[199]: Invalid user git from 10.16.234.131 port 47864
Aug 19 10:38:52 ub sshd[199]: Received disconnect from 10.16.234.131 port 47864:11: Bye Bye [preauth]
Aug 19 10:38:52 ub sshd[199]: Disconnected from invalid user git 10.16.234.131 port 47864 [preauth]
Aug 19 11:18:09 ub sshd[252]: Invalid user webmaster from 10.16.234.131 port 47874
Aug 19 11:18:10 ub sshd[252]: Received disconnect from 10.16.234.131 port 47874:11: Bye Bye [preauth]
Aug 19 11:18:10 ub sshd[252]: Disconnected from invalid user webmaster 10.16.234.131 port 47874 [preauth]
Aug 19 11:22:22 ub sshd[257]: Invalid user oracle from 10.16.234.131 port 47878
Aug 19 11:22:22 ub sshd[257]: Received disconnect from 10.16.234.131 port 47878:11: Bye Bye [preauth]
Aug 19 11:22:22 ub sshd[257]: Disconnected from invalid user oracle 10.16.234.131 port 47878
I don’t understand the ip in those messages, it is always 10.16.234.131, the ip of the container.
Same thing with pinky in the container:
root@ub ~ pinky
Gbruikr Volledige naam TTY Ledig Ingelogd Waar
root root *pts/1 2022-08-19 11:01 10.16.234.131
In both cases I expected the ip of the connecting user (like on the host), not the ip of the container.
Right that makes sense then, you’re using a proxy device to proxy inbound SSH connections to your container.
A LXD proxy device (Instance configuration - LXD documentation) works by accepting the inbound connection, and then switching into the instance’s network namespace and opening a new connection to the connect address. Because it is a new connection originating from inside the instance, it’s source address is that of the instance itself.
If you can use static DHCP reservations for your instance using: lxc config device set <instance> eth0 ipv4.address=n.n.n.n then you would be able to switch the proxy device into nat=true mode.
This would also require that you define the listen address explicitly, and cannot use 0.0.0.0.
But if those caveats are acceptable then using nat=true mode will retain the original client IP for the inbound connection.