Hi Oscar, This is not ansible specific but I believe that you can achieve what you want using SSH connection sharing and proxies.
I haven't tested this exact scenario but use something quite similar with key authentication via a jump-server. In short: 1) in your inventory configure your destination host to be proxied via the jump server. 2) in your ssh_config, configure connection sharing for the jump server so it will re-use an existing connection 3) connect to the jump server using ssh, login with your password 4) run ansible, it will use the shared connection to the jump server **1) in your inventory configure your destination host to be proxied via the jump server.** In your inventory for your destination host(s) (or group) set ansible_ssh_common_args [1] to set ProxyCommand [2]. e.g. ansible_ssh_common_args="-o ProxyCommand='ssh -W %h:%p jump-server'" This means that when ansible makes a ssh connection to your destination host it will add this into the SSH command line. Instructing ssh to first connect to your jump-server and send the traffic via the jump-server. I believe you can also set the password for your destination server in then inventory by setting ansible_ssh_pass e.g. ansible_ssh_pass=myPassword Note the warning from [1] that you really should use vaults for storing the password. **2) in your ssh_config, configure connection sharing for the jump server so it will re-use an existing connection** In your ~/.ssh/config file add the following host block for your jump-server to enable connection reuse host jump-server ControlMaster auto ControlPath ~/.ssh/ssh_mux_%h_%p_%r See [3] for more details on this, but basically it means that SSH will only make one connection to the jump server and multiplex all your ssh connections down this one physical connection without requiring re-authentication. **3) connect to the jump server using ssh, login with your password** >From a terminal, ssh directly to the jump server and login with your username & password. Run a command like top just so the connection remains active ssh jump-server top This is just to establish the shared connection so you can authenticate interactively. Keeping this connection open means that ansible does not have to authenticate when connecting via the jump server. **4) run ansible, it will use the shared connection to the jump server** Run ansible as normal, whenever it goes to connect to your destination server, SSH will actually proxy via the jump-server using the shared connection. [1]: http://docs.ansible.com/ansible/latest/intro_inventory.html#list-of-behavioral-inventory-parameters [2]: https://en.m.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Jump_Hosts_--_Passing_Through_a_Gateway_or_Two [3] https://en.m.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing On Sat, 25 Nov 2017 at 7:03 AM, Oscar Segarra <oscar.sega...@gmail.com> wrote: > Hi, > > I have opened a topic in the ansible project group in order to see if is > it possible to get my objective using ansible. > > The diagram is the following: > > MyComputer (executes ansible) --> SSH user1/password1 connection (not > paswordless key) --> Jump Server --> SSH user2/password2 connection (not > paswordless key) --> Destination host. > > For me is mandatory that all connections to be stablished with > username/password because what I'm trying to do is automatize the ssh-key > sharing between all hosts and to perform that, I need to send the keys > (using the copy module). > > Is there any way/trick to execute ssh on a second machine after a jump > server and copy/retrieve files from there? > > Is it a use case you have considered? > > Thanks a lot. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Development" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-devel+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
