Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a templated sshconfig using SSH ProxyJump instead? #67

Open
zoobab opened this issue Nov 6, 2018 · 5 comments
Open

Use a templated sshconfig using SSH ProxyJump instead? #67

zoobab opened this issue Nov 6, 2018 · 5 comments

Comments

@zoobab
Copy link
Contributor

zoobab commented Nov 6, 2018

Hi,

I just make a simple sshconfig file from a template which uses the ProxyJump feature of SSH:

https://wiki.gentoo.org/wiki/SSH_jump_host

The hardcoded sshconfig file looks like this:

$ cat sshconfig
Host *
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null
    LogLevel QUIET

Host bastion
    Hostname 100.24.1.3
    User ec2-user
    IdentityFile /home/centos/.ssh/id_rsa
    ForwardAgent yes

Host master
    Hostname master.openshift.local
    ProxyJump bastion
    User ec2-user

Host node1
    Hostname node1.openshift.local
    ProxyJump bastion
    User ec2-user

Host node2
    Hostname node2.openshift.local
    ProxyJump bastion
    User ec2-user

To ssh to the master, bastion, node1, node2:

$ ssh -F sshconfig master
$ ssh -F sshconfig bastion
$ ssh -F sshconfig node1
$ ssh -F sshconfig node2

To what I can figure out, the "ForwardAgent yes" seems to do the job to add automatically the key to the ssh-agent, which I found fragile right now.

The 2 items to template are the Hostname and the location of the SSH key.

What do you think?

Can I make a PR to template that dynamically and replace parts of the makefile?
@zoobab zoobab changed the title Use a templated sshconfig instead using the SSH ProxyJump feature instead? Use a templated sshconfig using SSH ProxyJump instead? Nov 6, 2018
@zoobab
Copy link
Contributor Author

zoobab commented Nov 6, 2018

The IdentityFile can even be hardcoded to IdentityFile ~/.ssh/id_rsa, it works with the reference to HOME as ~.

So the only think that needs to be templated is the bastion-public_ip.

@zoobab
Copy link
Contributor Author

zoobab commented Nov 6, 2018

I would also investigate to run/rewrite the shell scripts as ansible roles, and use this feature:

https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-configure-a-jump-host-to-access-servers-that-i-have-no-direct-access-to

@dwmkerr
Copy link
Owner

dwmkerr commented Nov 9, 2018

Hi @zoobab sounds great! If you want to go for it with a PR I'd love to take a look. I'd take a look myself but am slammed for the next couple of weeks.

@zoobab
Copy link
Contributor Author

zoobab commented Nov 12, 2018

I will make a branch with my changes, but I have a problem to run ansible as root on the bastion, as the keyforwarding does not seem to work for the root user, even with sudo -E .

@zoobab
Copy link
Contributor Author

zoobab commented Nov 22, 2018

I have made some notes here:

https://github.com/zoobab/terraform-aws-openshift/blob/master/sshjump.md

Will try to make a branch with a demo, but I need to find time as I am on the release-3.9 branch. I have to solve the sudo problem, probably by exporting the ssh-agent file between the ec2-user and root.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zoobab @dwmkerr