Re: [ansible-project] Re: Steps for ssh forwarding?
Michael, you are SO RIGHT! now the tunneling works after your clue! completely missed out this "*remote*" On Monday, April 9, 2018 at 1:48:50 PM UTC, Michael Spiegle wrote: > > I think this is because the SSH command always expects a hostname even if > there isn't a hostname to use. In your ssh -vvv debug output, you can see > that every single option is inside of [optional] brackets EXCEPT for the > hostname. SSH won't actually use this hostname for anything, it just wants > some dumb string in that field. In my config, I use the string "remote" > like > the following. Note that the host "remote" doesn't exist and you'd > probably receive an error under normal circumstances: > > Host *.someserverbehindjumpbox.com > ControlMaster no > ProxyCommand ssh -S ~/.ssh/master-*@jumpboxserver:%p -W %h:%p > re > mote > > > > On Mon, Apr 9, 2018 at 3:30 AM, Benny Kusman> wrote: > >> This is the -vvv output: >> >> [root@WW-GVXQLC2 ansible]# ssh -F ssh.config bkusman@serverbehindjumpbox >> -p 670 -vvv >> OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 >> debug1: Reading configuration data ssh.config >> debug1: ssh.config line 28: Applying options for * >> debug1: Executing proxy command: exec ssh -S ~/.ssh/master-*@ >> jumpboxserver:670 -W serverbehindjumpbox:670 >> debug1: permanently_set_uid: 0/0 >> debug1: permanently_drop_suid: 0 >> debug1: key_load_public: No such file or directory >> debug1: identity file /root/.ssh/id_rsa type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /root/.ssh/id_rsa-cert type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /root/.ssh/id_dsa type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /root/.ssh/id_dsa-cert type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /root/.ssh/id_ecdsa type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /root/.ssh/id_ecdsa-cert type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /root/.ssh/id_ed25519 type -1 >> debug1: key_load_public: No such file or directory >> debug1: identity file /root/.ssh/id_ed25519-cert type -1 >> debug1: Enabling compatibility mode for protocol 2.0 >> debug1: Local version string SSH-2.0-OpenSSH_7.4 >> usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] >>[-D [bind_address:]port] [-E log_file] [-e escape_char] >>[-F configfile] [-I pkcs11] [-i identity_file] >>[-J [user@]host[:port]] [-L address] [-l login_name] [-m >> mac_spec] >>[-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R >> address] >>[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] >>[user@]hostname [command] >> ssh_exchange_identification: Connection closed by remote host >> >> >> On Monday, April 9, 2018 at 7:18:32 AM UTC, Benny Kusman wrote: >>> >>> Hi >>> >>> ssh -F ssh.config -fN user@some_jumpbox --> im able to establish this >>> and send it back to the background >>> ssh -F ssh.config user@someserverbehindjumpbox --> does not work. the >>> message is: ssh_exchange_identification: Connection closed by remote >>> host >>> >>> the "hosts" im referring to is in the ssh.config. This is my ssh.config >>> >>> == >>> #jumpboxes first (most specific hosts first) >>> Host jumpboxserver >>> ControlMaster yes >>> ControlPath ~/.ssh/master-%r@ jumpboxserver :%p >>> StrictHostkeyChecking no >>> ProxyCommand none >>> ControlPersist 10m >>> >>> >>> >>> # groups of machines that can be accessed by the above jumpboxes >>> >>> >>> Host *.someserverbehindjumpbox.com >>> ControlMaster no >>> ProxyCommand ssh -S ~/.ssh/master-*@jumpboxserver:%p -W %h:%p >>> >>> # this makes ansible faster by reusing connections >>> Host * >>> ControlMaster auto >>> ControlPersist 300s >>> ControlPath ~/.ssh/ansible-%r@%h:%p >>> == >>> >>> >>> >>> On Thu, Apr 5, 2018 at 12:46 PM, Michael Spiegle < >>> mspi...@nauticaltech.com > wrote: >>> By "hosts" file, do you mean /etc/hosts or the hosts in ssh.config? Also, if you just run SSH by hand to login to a remote host, what happens? Ex: $ ssh -F ssh.config -fN user@some_jumpbox $ ssh -F ssh.config user@some_server_behind_jumpbox On Thursday, April 5, 2018 at 6:20:14 AM UTC-4, Benny Kusman wrote: > > this is a great step. > im able to establish the tunneling with the jumphost. > but i was wondering, what did you put in the hosts filfe ? > im still not able to reach the server > > On Monday, February 16, 2015 at 12:11:58 AM UTC, Michael Spiegle wrote: >> >> As an additional datapoint, here's a brief summary of how I deal with >> this. To complicate matters, my machines are split across various labs
Re: [ansible-project] Re: Steps for ssh forwarding?
I think this is because the SSH command always expects a hostname even if there isn't a hostname to use. In your ssh -vvv debug output, you can see that every single option is inside of [optional] brackets EXCEPT for the hostname. SSH won't actually use this hostname for anything, it just wants some dumb string in that field. In my config, I use the string "remote" like the following. Note that the host "remote" doesn't exist and you'd probably receive an error under normal circumstances: Host *.someserverbehindjumpbox.com ControlMaster no ProxyCommand ssh -S ~/.ssh/master-*@jumpboxserver:%p -W %h:%p re mote On Mon, Apr 9, 2018 at 3:30 AM, Benny Kusmanwrote: > This is the -vvv output: > > [root@WW-GVXQLC2 ansible]# ssh -F ssh.config bkusman@serverbehindjumpbox > -p 670 -vvv > OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 > debug1: Reading configuration data ssh.config > debug1: ssh.config line 28: Applying options for * > debug1: Executing proxy command: exec ssh -S ~/.ssh/master-*@jumpboxserver > :670 -W serverbehindjumpbox:670 > debug1: permanently_set_uid: 0/0 > debug1: permanently_drop_suid: 0 > debug1: key_load_public: No such file or directory > debug1: identity file /root/.ssh/id_rsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /root/.ssh/id_rsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /root/.ssh/id_dsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /root/.ssh/id_dsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /root/.ssh/id_ecdsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /root/.ssh/id_ecdsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /root/.ssh/id_ed25519 type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /root/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_7.4 > usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] >[-D [bind_address:]port] [-E log_file] [-e escape_char] >[-F configfile] [-I pkcs11] [-i identity_file] >[-J [user@]host[:port]] [-L address] [-l login_name] [-m > mac_spec] >[-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R > address] >[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] >[user@]hostname [command] > ssh_exchange_identification: Connection closed by remote host > > > On Monday, April 9, 2018 at 7:18:32 AM UTC, Benny Kusman wrote: >> >> Hi >> >> ssh -F ssh.config -fN user@some_jumpbox --> im able to establish this >> and send it back to the background >> ssh -F ssh.config user@someserverbehindjumpbox --> does not work. the >> message is: ssh_exchange_identification: Connection closed by remote host >> >> the "hosts" im referring to is in the ssh.config. This is my ssh.config >> >> == >> #jumpboxes first (most specific hosts first) >> Host jumpboxserver >> ControlMaster yes >> ControlPath ~/.ssh/master-%r@ jumpboxserver :%p >> StrictHostkeyChecking no >> ProxyCommand none >> ControlPersist 10m >> >> >> >> # groups of machines that can be accessed by the above jumpboxes >> >> >> Host *.someserverbehindjumpbox.com >> ControlMaster no >> ProxyCommand ssh -S ~/.ssh/master-*@jumpboxserver:%p -W %h:%p >> >> # this makes ansible faster by reusing connections >> Host * >> ControlMaster auto >> ControlPersist 300s >> ControlPath ~/.ssh/ansible-%r@%h:%p >> == >> >> >> >> On Thu, Apr 5, 2018 at 12:46 PM, Michael Spiegle < >> mspie...@nauticaltech.com> wrote: >> >>> By "hosts" file, do you mean /etc/hosts or the hosts in ssh.config? >>> Also, if you just run SSH by hand to login to a remote host, what happens? >>> >>> Ex: >>> $ ssh -F ssh.config -fN user@some_jumpbox >>> $ ssh -F ssh.config user@some_server_behind_jumpbox >>> >>> >>> On Thursday, April 5, 2018 at 6:20:14 AM UTC-4, Benny Kusman wrote: this is a great step. im able to establish the tunneling with the jumphost. but i was wondering, what did you put in the hosts filfe ? im still not able to reach the server On Monday, February 16, 2015 at 12:11:58 AM UTC, Michael Spiegle wrote: > > As an additional datapoint, here's a brief summary of how I deal with > this. To complicate matters, my machines are split across various labs in > different locations which each have their own bastion/jumpbox. I use ssh > keys sometimes, and hard coded passwords for some other machines: > > ansible.cfg: > [defaults] > hostfile = hosts > error_on_undefined_vars = True > host_key_checking = False > transport = ssh > jinja2_extensions =
Re: [ansible-project] Re: Steps for ssh forwarding?
This is the -vvv output: [root@WW-GVXQLC2 ansible]# ssh -F ssh.config bkusman@serverbehindjumpbox -p 670 -vvv OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data ssh.config debug1: ssh.config line 28: Applying options for * debug1: Executing proxy command: exec ssh -S ~/.ssh/master-*@jumpboxserver:670 -W serverbehindjumpbox:670 debug1: permanently_set_uid: 0/0 debug1: permanently_drop_suid: 0 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] [user@]hostname [command] ssh_exchange_identification: Connection closed by remote host On Monday, April 9, 2018 at 7:18:32 AM UTC, Benny Kusman wrote: > > Hi > > ssh -F ssh.config -fN user@some_jumpbox --> im able to establish this > and send it back to the background > ssh -F ssh.config user@someserverbehindjumpbox --> does not work. the > message is: ssh_exchange_identification: Connection closed by remote host > > the "hosts" im referring to is in the ssh.config. This is my ssh.config > > == > #jumpboxes first (most specific hosts first) > Host jumpboxserver > ControlMaster yes > ControlPath ~/.ssh/master-%r@ jumpboxserver :%p > StrictHostkeyChecking no > ProxyCommand none > ControlPersist 10m > > > > # groups of machines that can be accessed by the above jumpboxes > > > Host *.someserverbehindjumpbox.com > ControlMaster no > ProxyCommand ssh -S ~/.ssh/master-*@jumpboxserver:%p -W %h:%p > > # this makes ansible faster by reusing connections > Host * > ControlMaster auto > ControlPersist 300s > ControlPath ~/.ssh/ansible-%r@%h:%p > == > > > > On Thu, Apr 5, 2018 at 12:46 PM, Michael Spiegle < > mspie...@nauticaltech.com> wrote: > >> By "hosts" file, do you mean /etc/hosts or the hosts in ssh.config? >> Also, if you just run SSH by hand to login to a remote host, what happens? >> >> Ex: >> $ ssh -F ssh.config -fN user@some_jumpbox >> $ ssh -F ssh.config user@some_server_behind_jumpbox >> >> >> On Thursday, April 5, 2018 at 6:20:14 AM UTC-4, Benny Kusman wrote: >>> >>> this is a great step. >>> im able to establish the tunneling with the jumphost. >>> but i was wondering, what did you put in the hosts filfe ? >>> im still not able to reach the server >>> >>> On Monday, February 16, 2015 at 12:11:58 AM UTC, Michael Spiegle wrote: As an additional datapoint, here's a brief summary of how I deal with this. To complicate matters, my machines are split across various labs in different locations which each have their own bastion/jumpbox. I use ssh keys sometimes, and hard coded passwords for some other machines: ansible.cfg: [defaults] hostfile = hosts error_on_undefined_vars = True host_key_checking = False transport = ssh jinja2_extensions = jinja2.ext.do [ssh_connection] ssh_args = -F ssh.config pipelining = True ssh.config (referenced in ansible.cfg). Note that if you have a new enough version of ssh, you can use the -W flag instead of nc: #jumpboxes first (most specific hosts first) Host jumpbox01 10.1.0.10 ControlMaster yes ControlPath ~/.ssh/master-%r@jumpbox01:%p StrictHostkeyChecking no ProxyCommand none Host jumpbox02 10.2.0.10 ControlMaster yes ControlPath ~/.ssh/master-%r@jumpbox02:%p StrictHostkeyChecking no ProxyCommand none Host jumpbox03 10.3.0.10 ControlMaster yes ControlPath ~/.ssh/master-%r@jumpbox03:%p StrictHostkeyChecking no ProxyCommand none # groups of machines that can be accessed by the above
Re: [ansible-project] Re: Steps for ssh forwarding?
Hi ssh -F ssh.config -fN user@some_jumpbox --> im able to establish this and send it back to the background ssh -F ssh.config user@someserverbehindjumpbox --> does not work. the message is: ssh_exchange_identification: Connection closed by remote host the "hosts" im referring to is in the ssh.config. This is my ssh.config == #jumpboxes first (most specific hosts first) Host jumpboxserver ControlMaster yes ControlPath ~/.ssh/master-%r@ jumpboxserver :%p StrictHostkeyChecking no ProxyCommand none ControlPersist 10m # groups of machines that can be accessed by the above jumpboxes Host *.someserverbehindjumpbox.com ControlMaster no ProxyCommand ssh -S ~/.ssh/master-*@jumpboxserver:%p -W %h:%p # this makes ansible faster by reusing connections Host * ControlMaster auto ControlPersist 300s ControlPath ~/.ssh/ansible-%r@%h:%p == On Thu, Apr 5, 2018 at 12:46 PM, Michael Spieglewrote: > By "hosts" file, do you mean /etc/hosts or the hosts in ssh.config? Also, > if you just run SSH by hand to login to a remote host, what happens? > > Ex: > $ ssh -F ssh.config -fN user@some_jumpbox > $ ssh -F ssh.config user@some_server_behind_jumpbox > > > On Thursday, April 5, 2018 at 6:20:14 AM UTC-4, Benny Kusman wrote: >> >> this is a great step. >> im able to establish the tunneling with the jumphost. >> but i was wondering, what did you put in the hosts filfe ? >> im still not able to reach the server >> >> On Monday, February 16, 2015 at 12:11:58 AM UTC, Michael Spiegle wrote: >>> >>> As an additional datapoint, here's a brief summary of how I deal with >>> this. To complicate matters, my machines are split across various labs in >>> different locations which each have their own bastion/jumpbox. I use ssh >>> keys sometimes, and hard coded passwords for some other machines: >>> >>> ansible.cfg: >>> [defaults] >>> hostfile = hosts >>> error_on_undefined_vars = True >>> host_key_checking = False >>> transport = ssh >>> jinja2_extensions = jinja2.ext.do >>> >>> [ssh_connection] >>> ssh_args = -F ssh.config >>> pipelining = True >>> >>> >>> ssh.config (referenced in ansible.cfg). Note that if you have a new >>> enough version of ssh, you can use the -W flag instead of nc: >>> #jumpboxes first (most specific hosts first) >>> Host jumpbox01 10.1.0.10 >>> ControlMaster yes >>> ControlPath ~/.ssh/master-%r@jumpbox01:%p >>> StrictHostkeyChecking no >>> ProxyCommand none >>> >>> Host jumpbox02 10.2.0.10 >>> ControlMaster yes >>> ControlPath ~/.ssh/master-%r@jumpbox02:%p >>> StrictHostkeyChecking no >>> ProxyCommand none >>> >>> Host jumpbox03 10.3.0.10 >>> ControlMaster yes >>> ControlPath ~/.ssh/master-%r@jumpbox03:%p >>> StrictHostkeyChecking no >>> ProxyCommand none >>> >>> # groups of machines that can be accessed by the above jumpboxes >>> Host *.west.domain.com 10.1.0.* >>> ControlMaster no >>> ProxyCommand ssh -S ~/.ssh/master-*@jumpbox01:%p remote nc %h %p >>> >>> Host *.central.domain.com 10.2.0.* >>> ControlMaster no >>> ProxyCommand ssh -S ~/.ssh/master-*@jumpbox02:%p remote nc %h %p >>> >>> Host *.east.domain.com 10.3.0.* >>> ControlMaster no >>> ProxyCommand ssh -S ~/.ssh/master-*@jumpbox03:%p remote nc %h %p >>> >>> # this makes ansible faster by reusing connections >>> Host * >>> >>> ControlMaster auto >>> ControlPersist 300s >>> ControlPath ~/.ssh/ansible-%r@%h:%p >>> >>> Once I have those configs setup, I have to run the following to >>> establish a tunnel to a jumpbox/bastion before I can run ansible: >>> $ ssh -F ssh.config -fN user@jumpbox01 >>> >>> >>> When I run the above, it asks for the password (or uses my SSH key), >>> then SSH goes into the background and then the tunnel is established. >>> >>> I do all of my deployments this way by creating a Jenkins job that >>> establishes the tunnel, runs ansible, then tears down the tunnel using >>> something like: >>> >>> ssh -O exit -TS ~/.ssh/path-to-socket >>> >>> Some of the jumpboxes use dumb passwords, some of them use keys, and one >>> of them requires an RSA token (2-factor auth). For the RSA machine, my >>> Jenkins job presents the user with a form that has 2 fields: 2-Factor >>> Username, and 2-Factor Passcode. The passcode is generated by an RSA token >>> keyfob (or smartphone app). In order to make this work, I had to write a >>> custom expect script because the SSH prompt for the RSA token reads "Enter >>> PASSCODE" instead of "Password" which is what sshpass is hardcoded to look >>> for. Here's my expect script to catch all the variations: >>> >>> #!/usr/bin/env expect >>> set timeout 30 >>> set userhost [lindex $argv 0] >>> spawn ssh -fN -F ssh.config $userhost >>> >>> expect { >>> "Enter PASSCODE:" { >>> send "$env(SSH_PASSWORD)\n" >>> send "\n" >>> } >>> >>> "Password:" { >>> send "$env(SSH_PASSWORD)\n" >>> send "\n" >>> } >>> >>> "password:" { >>> send
Re: [ansible-project] Re: Steps for ssh forwarding?
By "hosts" file, do you mean /etc/hosts or the hosts in ssh.config? Also, if you just run SSH by hand to login to a remote host, what happens? Ex: $ ssh -F ssh.config -fN user@some_jumpbox $ ssh -F ssh.config user@some_server_behind_jumpbox On Thursday, April 5, 2018 at 6:20:14 AM UTC-4, Benny Kusman wrote: > > this is a great step. > im able to establish the tunneling with the jumphost. > but i was wondering, what did you put in the hosts filfe ? > im still not able to reach the server > > On Monday, February 16, 2015 at 12:11:58 AM UTC, Michael Spiegle wrote: >> >> As an additional datapoint, here's a brief summary of how I deal with >> this. To complicate matters, my machines are split across various labs in >> different locations which each have their own bastion/jumpbox. I use ssh >> keys sometimes, and hard coded passwords for some other machines: >> >> ansible.cfg: >> [defaults] >> hostfile = hosts >> error_on_undefined_vars = True >> host_key_checking = False >> transport = ssh >> jinja2_extensions = jinja2.ext.do >> >> [ssh_connection] >> ssh_args = -F ssh.config >> pipelining = True >> >> >> ssh.config (referenced in ansible.cfg). Note that if you have a new >> enough version of ssh, you can use the -W flag instead of nc: >> #jumpboxes first (most specific hosts first) >> Host jumpbox01 10.1.0.10 >> ControlMaster yes >> ControlPath ~/.ssh/master-%r@jumpbox01:%p >> StrictHostkeyChecking no >> ProxyCommand none >> >> Host jumpbox02 10.2.0.10 >> ControlMaster yes >> ControlPath ~/.ssh/master-%r@jumpbox02:%p >> StrictHostkeyChecking no >> ProxyCommand none >> >> Host jumpbox03 10.3.0.10 >> ControlMaster yes >> ControlPath ~/.ssh/master-%r@jumpbox03:%p >> StrictHostkeyChecking no >> ProxyCommand none >> >> # groups of machines that can be accessed by the above jumpboxes >> Host *.west.domain.com 10.1.0.* >> ControlMaster no >> ProxyCommand ssh -S ~/.ssh/master-*@jumpbox01:%p remote nc %h %p >> >> Host *.central.domain.com 10.2.0.* >> ControlMaster no >> ProxyCommand ssh -S ~/.ssh/master-*@jumpbox02:%p remote nc %h %p >> >> Host *.east.domain.com 10.3.0.* >> ControlMaster no >> ProxyCommand ssh -S ~/.ssh/master-*@jumpbox03:%p remote nc %h %p >> >> # this makes ansible faster by reusing connections >> Host * >> >> ControlMaster auto >> ControlPersist 300s >> ControlPath ~/.ssh/ansible-%r@%h:%p >> >> Once I have those configs setup, I have to run the following to establish >> a tunnel to a jumpbox/bastion before I can run ansible: >> $ ssh -F ssh.config -fN user@jumpbox01 >> >> >> When I run the above, it asks for the password (or uses my SSH key), then >> SSH goes into the background and then the tunnel is established. >> >> I do all of my deployments this way by creating a Jenkins job that >> establishes the tunnel, runs ansible, then tears down the tunnel using >> something like: >> >> ssh -O exit -TS ~/.ssh/path-to-socket >> >> Some of the jumpboxes use dumb passwords, some of them use keys, and one >> of them requires an RSA token (2-factor auth). For the RSA machine, my >> Jenkins job presents the user with a form that has 2 fields: 2-Factor >> Username, and 2-Factor Passcode. The passcode is generated by an RSA token >> keyfob (or smartphone app). In order to make this work, I had to write a >> custom expect script because the SSH prompt for the RSA token reads "Enter >> PASSCODE" instead of "Password" which is what sshpass is hardcoded to look >> for. Here's my expect script to catch all the variations: >> >> #!/usr/bin/env expect >> set timeout 30 >> set userhost [lindex $argv 0] >> spawn ssh -fN -F ssh.config $userhost >> >> expect { >> "Enter PASSCODE:" { >> send "$env(SSH_PASSWORD)\n" >> send "\n" >> } >> >> "Password:" { >> send "$env(SSH_PASSWORD)\n" >> send "\n" >> } >> >> "password:" { >> send "$env(SSH_PASSWORD)\n" >> send "\n" >> } >> } >> >> sleep 5 >> >> >> I need the sleep 5 at the end of the script as a hack because the jumpbox >> with RSA token don't establish the control socket until a few seconds after >> the login happens. If my script exits too soon, then the tunnel won't get >> established. I'm not sure how to properly deal with this. >> >> Like I said, some of the machines that I run ansible on have hardcoded >> passwords and it works fine when ssh_user and ssh_pass is set as facts for >> your host. >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/53c9364c-3062-4f8c-8f14-be041690e8fa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Re: Steps for ssh forwarding?
this is a great step. im able to establish the tunneling with the jumphost. but i was wondering, what did you put in the hosts filfe ? im still not able to reach the server On Monday, February 16, 2015 at 12:11:58 AM UTC, Michael Spiegle wrote: > > As an additional datapoint, here's a brief summary of how I deal with > this. To complicate matters, my machines are split across various labs in > different locations which each have their own bastion/jumpbox. I use ssh > keys sometimes, and hard coded passwords for some other machines: > > ansible.cfg: > [defaults] > hostfile = hosts > error_on_undefined_vars = True > host_key_checking = False > transport = ssh > jinja2_extensions = jinja2.ext.do > > [ssh_connection] > ssh_args = -F ssh.config > pipelining = True > > > ssh.config (referenced in ansible.cfg). Note that if you have a new > enough version of ssh, you can use the -W flag instead of nc: > #jumpboxes first (most specific hosts first) > Host jumpbox01 10.1.0.10 > ControlMaster yes > ControlPath ~/.ssh/master-%r@jumpbox01:%p > StrictHostkeyChecking no > ProxyCommand none > > Host jumpbox02 10.2.0.10 > ControlMaster yes > ControlPath ~/.ssh/master-%r@jumpbox02:%p > StrictHostkeyChecking no > ProxyCommand none > > Host jumpbox03 10.3.0.10 > ControlMaster yes > ControlPath ~/.ssh/master-%r@jumpbox03:%p > StrictHostkeyChecking no > ProxyCommand none > > # groups of machines that can be accessed by the above jumpboxes > Host *.west.domain.com 10.1.0.* > ControlMaster no > ProxyCommand ssh -S ~/.ssh/master-*@jumpbox01:%p remote nc %h %p > > Host *.central.domain.com 10.2.0.* > ControlMaster no > ProxyCommand ssh -S ~/.ssh/master-*@jumpbox02:%p remote nc %h %p > > Host *.east.domain.com 10.3.0.* > ControlMaster no > ProxyCommand ssh -S ~/.ssh/master-*@jumpbox03:%p remote nc %h %p > > # this makes ansible faster by reusing connections > Host * > > ControlMaster auto > ControlPersist 300s > ControlPath ~/.ssh/ansible-%r@%h:%p > > Once I have those configs setup, I have to run the following to establish > a tunnel to a jumpbox/bastion before I can run ansible: > $ ssh -F ssh.config -fN user@jumpbox01 > > > When I run the above, it asks for the password (or uses my SSH key), then > SSH goes into the background and then the tunnel is established. > > I do all of my deployments this way by creating a Jenkins job that > establishes the tunnel, runs ansible, then tears down the tunnel using > something like: > > ssh -O exit -TS ~/.ssh/path-to-socket > > Some of the jumpboxes use dumb passwords, some of them use keys, and one > of them requires an RSA token (2-factor auth). For the RSA machine, my > Jenkins job presents the user with a form that has 2 fields: 2-Factor > Username, and 2-Factor Passcode. The passcode is generated by an RSA token > keyfob (or smartphone app). In order to make this work, I had to write a > custom expect script because the SSH prompt for the RSA token reads "Enter > PASSCODE" instead of "Password" which is what sshpass is hardcoded to look > for. Here's my expect script to catch all the variations: > > #!/usr/bin/env expect > set timeout 30 > set userhost [lindex $argv 0] > spawn ssh -fN -F ssh.config $userhost > > expect { > "Enter PASSCODE:" { > send "$env(SSH_PASSWORD)\n" > send "\n" > } > > "Password:" { > send "$env(SSH_PASSWORD)\n" > send "\n" > } > > "password:" { > send "$env(SSH_PASSWORD)\n" > send "\n" > } > } > > sleep 5 > > > I need the sleep 5 at the end of the script as a hack because the jumpbox > with RSA token don't establish the control socket until a few seconds after > the login happens. If my script exits too soon, then the tunnel won't get > established. I'm not sure how to properly deal with this. > > Like I said, some of the machines that I run ansible on have hardcoded > passwords and it works fine when ssh_user and ssh_pass is set as facts for > your host. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/73540da5-dec2-4b29-a6c1-430efcd83755%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Re: Steps for ssh forwarding?
Many thanks Michael for the detailed writeup! I'm going to experiment with my setup (quite similar to your's - multiple jumpboxes in multiple locations, some AWS usage as well) to see how much of your approach I can adapt to mine. On Sunday, February 15, 2015 at 6:14:54 PM UTC-6, Michael Spiegle wrote: About half of my machines are in Amazon/EC2. In order to solve the chicken/egg problem, I write out a user_data script which installs some SSH keys for me to the root user of the VM upon first boot. This allows me to run my initial bootstrap and get the machine joined to the domain, then I can optionally remove the root keys. This is all done with Ansible. On Saturday, February 14, 2015 at 11:10:11 AM UTC-5, Ananda Debnath wrote: Thanks for looking. There are too many current processes dependent on passwords that I'm migrating to Ansible - while converting to keys is partly underway, it won't be complete for a while. There's also a second bootstrapping problem. I'm using Ansible to run baremetal bringup scripts on xen hosts (doing double duty as the jumpbox/bastion host above) which in turn creates the VM's from an image. I cannot bake keys into the image and need to get them on there after they boot up. Hence - a chicken and egg problem. How would I get the keys onto the VMs? Xen hosts have numerous problems running Ansible scripts directly because they run an old version of Python - so I don't think I can call the authorized_key module on the host and have it inject them into the VMs. The action would need to be triggered outside in a machine/vm that supports Ansible - which in turn would need to tunnel into the VMs to do just this - hence chicken and egg. Ultimately, the key pairs would be created and injected into the images instead of the passwords we do today - but as I mention above, this won't be for a while. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d390e45b-9aba-4d99-8990-a08baec06766%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Re: Steps for ssh forwarding?
As an additional datapoint, here's a brief summary of how I deal with this. To complicate matters, my machines are split across various labs in different locations which each have their own bastion/jumpbox. I use ssh keys sometimes, and hard coded passwords for some other machines: ansible.cfg: [defaults] hostfile = hosts error_on_undefined_vars = True host_key_checking = False transport = ssh jinja2_extensions = jinja2.ext.do [ssh_connection] ssh_args = -F ssh.config pipelining = True ssh.config (referenced in ansible.cfg). Note that if you have a new enough version of ssh, you can use the -W flag instead of nc: #jumpboxes first (most specific hosts first) Host jumpbox01 10.1.0.10 ControlMaster yes ControlPath ~/.ssh/master-%r@jumpbox01:%p StrictHostkeyChecking no ProxyCommand none Host jumpbox02 10.2.0.10 ControlMaster yes ControlPath ~/.ssh/master-%r@jumpbox02:%p StrictHostkeyChecking no ProxyCommand none Host jumpbox03 10.3.0.10 ControlMaster yes ControlPath ~/.ssh/master-%r@jumpbox03:%p StrictHostkeyChecking no ProxyCommand none # groups of machines that can be accessed by the above jumpboxes Host *.west.domain.com 10.1.0.* ControlMaster no ProxyCommand ssh -S ~/.ssh/master-*@jumpbox01:%p remote nc %h %p Host *.central.domain.com 10.2.0.* ControlMaster no ProxyCommand ssh -S ~/.ssh/master-*@jumpbox02:%p remote nc %h %p Host *.east.domain.com 10.3.0.* ControlMaster no ProxyCommand ssh -S ~/.ssh/master-*@jumpbox03:%p remote nc %h %p # this makes ansible faster by reusing connections Host * ControlMaster auto ControlPersist 300s ControlPath ~/.ssh/ansible-%r@%h:%p Once I have those configs setup, I have to run the following to establish a tunnel to a jumpbox/bastion before I can run ansible: $ ssh -F ssh.config -fN user@jumpbox01 When I run the above, it asks for the password (or uses my SSH key), then SSH goes into the background and then the tunnel is established. I do all of my deployments this way by creating a Jenkins job that establishes the tunnel, runs ansible, then tears down the tunnel using something like: ssh -O exit -TS ~/.ssh/path-to-socket Some of the jumpboxes use dumb passwords, some of them use keys, and one of them requires an RSA token (2-factor auth). For the RSA machine, my Jenkins job presents the user with a form that has 2 fields: 2-Factor Username, and 2-Factor Passcode. The passcode is generated by an RSA token keyfob (or smartphone app). In order to make this work, I had to write a custom expect script because the SSH prompt for the RSA token reads Enter PASSCODE instead of Password which is what sshpass is hardcoded to look for. Here's my expect script to catch all the variations: #!/usr/bin/env expect set timeout 30 set userhost [lindex $argv 0] spawn ssh -fN -F ssh.config $userhost expect { Enter PASSCODE: { send $env(SSH_PASSWORD)\n send \n } Password: { send $env(SSH_PASSWORD)\n send \n } password: { send $env(SSH_PASSWORD)\n send \n } } sleep 5 I need the sleep 5 at the end of the script as a hack because the jumpbox with RSA token don't establish the control socket until a few seconds after the login happens. If my script exits too soon, then the tunnel won't get established. I'm not sure how to properly deal with this. Like I said, some of the machines that I run ansible on have hardcoded passwords and it works fine when ssh_user and ssh_pass is set as facts for your host. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/efa85586-f1de-43f6-827e-8a9a3fdbf13e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Re: Steps for ssh forwarding?
About half of my machines are in Amazon/EC2. In order to solve the chicken/egg problem, I write out a user_data script which installs some SSH keys for me to the root user of the VM upon first boot. This allows me to run my initial bootstrap and get the machine joined to the domain, then I can optionally remove the root keys. This is all done with Ansible. On Saturday, February 14, 2015 at 11:10:11 AM UTC-5, Ananda Debnath wrote: Thanks for looking. There are too many current processes dependent on passwords that I'm migrating to Ansible - while converting to keys is partly underway, it won't be complete for a while. There's also a second bootstrapping problem. I'm using Ansible to run baremetal bringup scripts on xen hosts (doing double duty as the jumpbox/bastion host above) which in turn creates the VM's from an image. I cannot bake keys into the image and need to get them on there after they boot up. Hence - a chicken and egg problem. How would I get the keys onto the VMs? Xen hosts have numerous problems running Ansible scripts directly because they run an old version of Python - so I don't think I can call the authorized_key module on the host and have it inject them into the VMs. The action would need to be triggered outside in a machine/vm that supports Ansible - which in turn would need to tunnel into the VMs to do just this - hence chicken and egg. Ultimately, the key pairs would be created and injected into the images instead of the passwords we do today - but as I mention above, this won't be for a while. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c580d759-2c50-48d9-8684-68f0a3743243%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Re: Steps for ssh forwarding?
I did manage to get it to work - but it's really ugly :/ I had to change the ProxyCommand directive in the ssh config for the wildcard section to: ProxyCommand sshpass -p 'reallybadpassword' ssh -A root@56.66.3.10 'nc -w 14400 %h %p' I guess Ansible has no way of overriding the ProxyCommand specified in the ssh_config file in order to use sshpass with the password specified in the inventory file? On Saturday, February 14, 2015 at 10:10:11 AM UTC-6, Ananda Debnath wrote: Thanks for looking. There are too many current processes dependent on passwords that I'm migrating to Ansible - while converting to keys is partly underway, it won't be complete for a while. There's also a second bootstrapping problem. I'm using Ansible to run baremetal bringup scripts on xen hosts (doing double duty as the jumpbox/bastion host above) which in turn creates the VM's from an image. I cannot bake keys into the image and need to get them on there after they boot up. Hence - a chicken and egg problem. How would I get the keys onto the VMs? Xen hosts have numerous problems running Ansible scripts directly because they run an old version of Python - so I don't think I can call the authorized_key module on the host and have it inject them into the VMs. The action would need to be triggered outside in a machine/vm that supports Ansible - which in turn would need to tunnel into the VMs to do just this - hence chicken and egg. Ultimately, the key pairs would be created and injected into the images instead of the passwords we do today - but as I mention above, this won't be for a while. On Friday, February 13, 2015 at 5:05:38 PM UTC-6, Michael Peters wrote: Not the answer you're looking for, but why don't you just use ssh keys? It's some minor work upfront with huge security and automation benefits easier. On Fri, Feb 13, 2015 at 3:51 PM, Ananda Debnath ananda@gmail.com wrote: Does anyone know of an example to do this using password authentication? My inventory file has ansible_ssh_user and ansible_ssh_pass values set and my ssh config file has password authentication set to yes. my.ssh.config Host 56.66.3.10 User king HostName 56.66.3.10 ProxyCommand none BatchMode yes PasswordAuthentication yes # Also tried ssh -aY ki...@56.66.3.10 'nc -w 14400 %h %p' Host * ServerAliveInterval60 TCPKeepAlive yes ProxyCommand ssh -AY ki...@56.66.3.10 'nc -w 14400 %h %p' ControlMaster auto ControlPath~/.ssh/mux-%r@%h:%p ControlPersist 15s PasswordAuthentication yes But this isn't helping. I have a test role that applies to 56.66.3.10 first and then other roles to the ones behind the bastion - redis-vm, etc. Neither the bastion nor the vms behind it will let me through with passwords. The ansible.cfg file looks like: [defaults] host_key_checking = False # Tried both with and without this transport=ssh [ssh_connection] ssh_args = -F my.ssh.config scp_if_ssh = True control_path = ~/.ssh/mux-%%r@%%h:%%p The tail of the bastion login failure reads: debug2: key: /home/adebnath/.ssh/id_rsa ((nil)), debug2: key: /home/adebnath/.ssh/id_dsa ((nil)), debug2: key: /home/adebnath/.ssh/id_ecdsa ((nil)), debug2: key: /home/adebnath/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred debug1: No more authentication methods to try. Permission denied (publickey,password). -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com. To post to this group, send email to ansible...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c776ec2d-c640-4e2e-bb50-ecbd24548673%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ab427b16-ae81-4ea7-8153-bc2ba6c67c64%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Re: Steps for ssh forwarding?
Thanks for looking. There are too many current processes dependent on passwords that I'm migrating to Ansible - while converting to keys is partly underway, it won't be complete for a while. There's also a second bootstrapping problem. I'm using Ansible to run baremetal bringup scripts on xen hosts (doing double duty as the jumpbox/bastion host above) which in turn creates the VM's from an image. I cannot bake keys into the image and need to get them on there after they boot up. Hence - a chicken and egg problem. How would I get the keys onto the VMs? Xen hosts have numerous problems running Ansible scripts directly because they run an old version of Python - so I don't think I can call the authorized_key module on the host and have it inject them into the VMs. The action would need to be triggered outside in a machine/vm that supports Ansible - which in turn would need to tunnel into the VMs to do just this - hence chicken and egg. Ultimately, the key pairs would be created and injected into the images instead of the passwords we do today - but as I mention above, this won't be for a while. On Friday, February 13, 2015 at 5:05:38 PM UTC-6, Michael Peters wrote: Not the answer you're looking for, but why don't you just use ssh keys? It's some minor work upfront with huge security and automation benefits easier. On Fri, Feb 13, 2015 at 3:51 PM, Ananda Debnath ananda@gmail.com javascript: wrote: Does anyone know of an example to do this using password authentication? My inventory file has ansible_ssh_user and ansible_ssh_pass values set and my ssh config file has password authentication set to yes. my.ssh.config Host 56.66.3.10 User king HostName 56.66.3.10 ProxyCommand none BatchMode yes PasswordAuthentication yes # Also tried ssh -aY ki...@56.66.3.10 javascript: 'nc -w 14400 %h %p' Host * ServerAliveInterval60 TCPKeepAlive yes ProxyCommand ssh -AY ki...@56.66.3.10 javascript: 'nc -w 14400 %h %p' ControlMaster auto ControlPath~/.ssh/mux-%r@%h:%p ControlPersist 15s PasswordAuthentication yes But this isn't helping. I have a test role that applies to 56.66.3.10 first and then other roles to the ones behind the bastion - redis-vm, etc. Neither the bastion nor the vms behind it will let me through with passwords. The ansible.cfg file looks like: [defaults] host_key_checking = False # Tried both with and without this transport=ssh [ssh_connection] ssh_args = -F my.ssh.config scp_if_ssh = True control_path = ~/.ssh/mux-%%r@%%h:%%p The tail of the bastion login failure reads: debug2: key: /home/adebnath/.ssh/id_rsa ((nil)), debug2: key: /home/adebnath/.ssh/id_dsa ((nil)), debug2: key: /home/adebnath/.ssh/id_ecdsa ((nil)), debug2: key: /home/adebnath/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred debug1: No more authentication methods to try. Permission denied (publickey,password). -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com javascript:. To post to this group, send email to ansible...@googlegroups.com javascript:. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c776ec2d-c640-4e2e-bb50-ecbd24548673%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9356797d-107c-4190-97f6-b61a1fb07f51%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ansible-project] Re: Steps for ssh forwarding?
Not the answer you're looking for, but why don't you just use ssh keys? It's some minor work upfront with huge security and automation benefits easier. On Fri, Feb 13, 2015 at 3:51 PM, Ananda Debnath ananda.debn...@gmail.com wrote: Does anyone know of an example to do this using password authentication? My inventory file has ansible_ssh_user and ansible_ssh_pass values set and my ssh config file has password authentication set to yes. my.ssh.config Host 56.66.3.10 User king HostName 56.66.3.10 ProxyCommand none BatchMode yes PasswordAuthentication yes # Also tried ssh -aY king@56.66.3.10 'nc -w 14400 %h %p' Host * ServerAliveInterval60 TCPKeepAlive yes ProxyCommand ssh -AY king@56.66.3.10 'nc -w 14400 %h %p' ControlMaster auto ControlPath~/.ssh/mux-%r@%h:%p ControlPersist 15s PasswordAuthentication yes But this isn't helping. I have a test role that applies to 56.66.3.10 first and then other roles to the ones behind the bastion - redis-vm, etc. Neither the bastion nor the vms behind it will let me through with passwords. The ansible.cfg file looks like: [defaults] host_key_checking = False # Tried both with and without this transport=ssh [ssh_connection] ssh_args = -F my.ssh.config scp_if_ssh = True control_path = ~/.ssh/mux-%%r@%%h:%%p The tail of the bastion login failure reads: debug2: key: /home/adebnath/.ssh/id_rsa ((nil)), debug2: key: /home/adebnath/.ssh/id_dsa ((nil)), debug2: key: /home/adebnath/.ssh/id_ecdsa ((nil)), debug2: key: /home/adebnath/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred debug1: No more authentication methods to try. Permission denied (publickey,password). -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c776ec2d-c640-4e2e-bb50-ecbd24548673%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups Ansible Project group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJQqANe2GHbaNvnpmaS8m%3D5xX6WFehWQ4ndfohvexcWsNvaO-g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.