Hi,
It’s not perse an Ansible specific question but it’s my primary use-case and I’m hoping there are other users who did the same.
For this example, let’s pretend I have 3 hosts, source, jumper and destination.
The source host is the host that runs ansible and this host can only get to destination via jumpaccount@jumper.
Destination allows users from source through a pubkey that is being offered via an ssh-agent which is forwarded through jumper.
So far so good, this all works fine. However, now I enable MFA (Google Authenticator) on the ‘jumpaccount’ which means that every user that is allowed on destination and goes via jumphost will have to fill in a token, this also works fine.
My problem now is that when I try to run Ansible it obviously also gets asked for an MFA token for every single host it tries to access. Ansible can be run by the aforementioned users but should when running ansible go via a different account (nomfajumper) on the ‘jumper’.
This can’t be configured in ~/.ssh/config since you would specify:
Host *.mydomain.com
ProxyCommand ssh jumpaccount@jumper -W %h:%p
Does anyone have an idea how I can achieve this?
To summarize:
- I want to use a jumphost that enforces MFA for logins
- These accounts should also be able to run Ansible, in that case without MFA. To achieve this, I would need to access a different ‘jump’ account on the jump host.
Ideas are welcome 
Thanks,
Nico.