Michael,

you are SO RIGHT!
now the tunneling works after your clue! 
completely missed out this "*remote*"

On Monday, April 9, 2018 at 1:48:50 PM UTC, Michael Spiegle wrote:
>
> I think this is because the SSH command always expects a hostname even if 
> there isn't a hostname to use.  In your ssh -vvv debug output, you can see 
> that every single option is inside of [optional] brackets EXCEPT for the 
> hostname.  SSH won't actually use this hostname for anything, it just wants 
> some dumb string in that field.  In my config, I use the string "remote" 
> like 
> the following.  Note that the host "remote" doesn't exist and you'd 
> probably receive an error under normal circumstances:
>
> Host *.someserverbehindjumpbox.com
>  ControlMaster no
>  ProxyCommand ssh -S ~/.ssh/master-*@jumpboxserver:%p -W %h:%p
> ​ re
> mote
> ​
>
>
> On Mon, Apr 9, 2018 at 3:30 AM, Benny Kusman <benny....@gmail.com 
> <javascript:>> wrote:
>
>> This is the -vvv output:
>>
>> [root@WW-GVXQLC2 ansible]# ssh -F ssh.config bkusman@serverbehindjumpbox 
>> -p 670 -vvv
>> OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
>> debug1: Reading configuration data ssh.config
>> debug1: ssh.config line 28: Applying options for *
>> debug1: Executing proxy command: exec ssh -S ~/.ssh/master-*@
>> jumpboxserver:670 -W  serverbehindjumpbox:670
>> debug1: permanently_set_uid: 0/0
>> debug1: permanently_drop_suid: 0
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /root/.ssh/id_rsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /root/.ssh/id_rsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /root/.ssh/id_dsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /root/.ssh/id_dsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /root/.ssh/id_ecdsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /root/.ssh/id_ecdsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /root/.ssh/id_ed25519 type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /root/.ssh/id_ed25519-cert type -1
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_7.4
>> usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
>>            [-D [bind_address:]port] [-E log_file] [-e escape_char]
>>            [-F configfile] [-I pkcs11] [-i identity_file]
>>            [-J [user@]host[:port]] [-L address] [-l login_name] [-m 
>> mac_spec]
>>            [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R 
>> address]
>>            [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
>>            [user@]hostname [command]
>> ssh_exchange_identification: Connection closed by remote host
>>
>>
>> On Monday, April 9, 2018 at 7:18:32 AM UTC, Benny Kusman wrote:
>>>
>>> Hi
>>>
>>> ssh -F ssh.config -fN user@some_jumpbox  --> im able to establish this 
>>> and send it back to the background
>>> ssh -F ssh.config user@someserverbehindjumpbox --> does not work. the 
>>> message is: ssh_exchange_identification: Connection closed by remote 
>>> host
>>>
>>> the "hosts" im referring to is in the ssh.config. This is my ssh.config
>>>
>>> ==============================================
>>> #jumpboxes first (most specific hosts first)
>>> Host jumpboxserver
>>>  ControlMaster yes
>>>  ControlPath ~/.ssh/master-%r@ jumpboxserver :%p
>>>  StrictHostkeyChecking no
>>>  ProxyCommand none
>>>  ControlPersist 10m
>>>
>>>
>>>
>>> # groups of machines that can be accessed by the above jumpboxes
>>>
>>>  
>>> Host *.someserverbehindjumpbox.com
>>>  ControlMaster no
>>>  ProxyCommand ssh -S ~/.ssh/master-*@jumpboxserver:%p -W  %h:%p
>>>
>>> # this makes ansible faster by reusing connections
>>> Host *
>>>  ControlMaster auto
>>>  ControlPersist 300s
>>>  ControlPath ~/.ssh/ansible-%r@%h:%p
>>> ==============================================
>>>
>>>
>>>
>>> On Thu, Apr 5, 2018 at 12:46 PM, Michael Spiegle <
>>> mspi...@nauticaltech.com <javascript:>> wrote:
>>>
>>>> By "hosts" file, do you mean /etc/hosts or the hosts in ssh.config?  
>>>> Also, if you just run SSH by hand to login to a remote host, what happens?
>>>>
>>>> Ex:
>>>> $ ssh -F ssh.config -fN user@some_jumpbox
>>>> $ ssh -F ssh.config user@some_server_behind_jumpbox
>>>>
>>>>
>>>> On Thursday, April 5, 2018 at 6:20:14 AM UTC-4, Benny Kusman wrote:
>>>>>
>>>>> this is a great step.
>>>>> im able to establish the tunneling with the jumphost.
>>>>> but i was wondering, what did you put in the hosts filfe ?
>>>>> im still not able to reach the server
>>>>>
>>>>> On Monday, February 16, 2015 at 12:11:58 AM UTC, Michael Spiegle wrote:
>>>>>>
>>>>>> As an additional datapoint, here's a brief summary of how I deal with 
>>>>>> this.  To complicate matters, my machines are split across various labs 
>>>>>> in 
>>>>>> different locations which each have their own bastion/jumpbox.  I use 
>>>>>> ssh 
>>>>>> keys sometimes, and hard coded passwords for some other machines:
>>>>>>
>>>>>> ansible.cfg:
>>>>>> [defaults]
>>>>>> hostfile = hosts 
>>>>>> error_on_undefined_vars = True 
>>>>>> host_key_checking = False 
>>>>>> transport = ssh 
>>>>>> jinja2_extensions = jinja2.ext.do 
>>>>>>
>>>>>> [ssh_connection] 
>>>>>> ssh_args = -F ssh.config 
>>>>>> pipelining = True
>>>>>>
>>>>>>
>>>>>> ssh.config (referenced in ansible.cfg).  Note that if you have a new 
>>>>>> enough version of ssh, you can use the -W flag instead of nc:
>>>>>> #jumpboxes first (most specific hosts first)
>>>>>> Host jumpbox01 10.1.0.10
>>>>>>  ControlMaster yes
>>>>>>  ControlPath ~/.ssh/master-%r@jumpbox01:%p
>>>>>>  StrictHostkeyChecking no
>>>>>>  ProxyCommand none
>>>>>>
>>>>>> Host jumpbox02 10.2.0.10
>>>>>>  ControlMaster yes
>>>>>>  ControlPath ~/.ssh/master-%r@jumpbox02:%p
>>>>>>  StrictHostkeyChecking no
>>>>>>  ProxyCommand none
>>>>>>
>>>>>> Host jumpbox03 10.3.0.10
>>>>>>  ControlMaster yes
>>>>>>  ControlPath ~/.ssh/master-%r@jumpbox03:%p
>>>>>>  StrictHostkeyChecking no
>>>>>>  ProxyCommand none
>>>>>>
>>>>>> # groups of machines that can be accessed by the above jumpboxes
>>>>>> Host *.west.domain.com 10.1.0.*
>>>>>>  ControlMaster no
>>>>>>  ProxyCommand ssh -S ~/.ssh/master-*@jumpbox01:%p remote nc %h %p
>>>>>>
>>>>>> Host *.central.domain.com 10.2.0.*
>>>>>>  ControlMaster no
>>>>>>  ProxyCommand ssh -S ~/.ssh/master-*@jumpbox02:%p remote nc %h %p
>>>>>>
>>>>>> Host *.east.domain.com 10.3.0.*
>>>>>>  ControlMaster no
>>>>>>  ProxyCommand ssh -S ~/.ssh/master-*@jumpbox03:%p remote nc %h %p
>>>>>>
>>>>>> # this makes ansible faster by reusing connections
>>>>>> Host *
>>>>>>
>>>>>>  ControlMaster auto
>>>>>>  ControlPersist 300s
>>>>>>  ControlPath ~/.ssh/ansible-%r@%h:%p
>>>>>>
>>>>>> Once I have those configs setup, I have to run the following to 
>>>>>> establish a tunnel to a jumpbox/bastion before I can run ansible:
>>>>>> $ ssh -F ssh.config -fN user@jumpbox01
>>>>>>
>>>>>>
>>>>>> When I run the above, it asks for the password (or uses my SSH key), 
>>>>>> then SSH goes into the background and then the tunnel is established.
>>>>>>
>>>>>> I do all of my deployments this way by creating a Jenkins job that 
>>>>>> establishes the tunnel, runs ansible, then tears down the tunnel using 
>>>>>> something like:
>>>>>>
>>>>>> ssh -O exit -TS ~/.ssh/path-to-socket
>>>>>>
>>>>>> Some of the jumpboxes use dumb passwords, some of them use keys, and 
>>>>>> one of them requires an RSA token (2-factor auth).  For the RSA machine, 
>>>>>> my 
>>>>>> Jenkins job presents the user with a form that has 2 fields: 2-Factor 
>>>>>> Username, and 2-Factor Passcode.  The passcode is generated by an RSA 
>>>>>> token 
>>>>>> keyfob (or smartphone app).  In order to make this work, I had to write 
>>>>>> a 
>>>>>> custom expect script because the SSH prompt for the RSA token reads 
>>>>>> "Enter 
>>>>>> PASSCODE" instead of "Password" which is what sshpass is hardcoded to 
>>>>>> look 
>>>>>> for.  Here's my expect script to catch all the variations:
>>>>>>
>>>>>> #!/usr/bin/env expect
>>>>>> set timeout 30
>>>>>> set userhost [lindex $argv 0]
>>>>>> spawn ssh -fN -F ssh.config $userhost
>>>>>>
>>>>>> expect {
>>>>>>   "Enter PASSCODE:" {
>>>>>>     send "$env(SSH_PASSWORD)\n"
>>>>>>     send "\n"
>>>>>>   }
>>>>>>
>>>>>>   "Password:" {
>>>>>>     send "$env(SSH_PASSWORD)\n"
>>>>>>     send "\n"
>>>>>>   }
>>>>>>
>>>>>>   "password:" {
>>>>>>     send "$env(SSH_PASSWORD)\n"
>>>>>>     send "\n"
>>>>>>   }
>>>>>> }
>>>>>>
>>>>>> sleep 5
>>>>>>
>>>>>>
>>>>>> I need the sleep 5 at the end of the script as a hack because the 
>>>>>> jumpbox with RSA token don't establish the control socket until a few 
>>>>>> seconds after the login happens.  If my script exits too soon, then the 
>>>>>> tunnel won't get established.  I'm not sure how to properly deal with 
>>>>>> this.
>>>>>>
>>>>>> Like I said, some of the machines that I run ansible on have 
>>>>>> hardcoded passwords and it works fine when ssh_user and ssh_pass is set 
>>>>>> as 
>>>>>> facts for your host.
>>>>>>
>>>>> -- 
>>>> You received this message because you are subscribed to the Google 
>>>> Groups "Ansible Project" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send 
>>>> an email to ansible-proje...@googlegroups.com <javascript:>.
>>>> To post to this group, send email to ansible...@googlegroups.com 
>>>> <javascript:>.
>>>> To view this discussion on the web visit 
>>>> https://groups.google.com/d/msgid/ansible-project/53c9364c-3062-4f8c-8f14-be041690e8fa%40googlegroups.com
>>>>  
>>>> <https://groups.google.com/d/msgid/ansible-project/53c9364c-3062-4f8c-8f14-be041690e8fa%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> -- 
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "Ansible Project" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/ansible-project/-AFEyk69T8k/unsubscribe
>> .
>> To unsubscribe from this group and all its topics, send an email to 
>> ansible-proje...@googlegroups.com <javascript:>.
>> To post to this group, send email to ansible...@googlegroups.com 
>> <javascript:>.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/ansible-project/688b9432-4580-4369-ad37-4ea106977cdd%40googlegroups.com
>>  
>> <https://groups.google.com/d/msgid/ansible-project/688b9432-4580-4369-ad37-4ea106977cdd%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/7ae2d391-a0ed-4bfa-8efb-d2d4ee239f9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to