Hello community!
We would like to use MFA for ssh and still be able to run ansible playbooks.
Please have a look what we have planned to achieve that:
- We are planning to use a bastion host with pubkey+MFA ssh access and run playbooks for other machines via it (ansible_ssh_common_args with ProxyCommand).
- SSH multiplexing (ControlPersist) will be used to reuse existing ssh session to bastion host and do not ask for the second factor multiple times when running playbooks for more than one host via bastion.
- Bastion host will be whitelisted on the machines to bypass MFA, so two factor authentication is needed only for bastion host. SSH to the other hosts from bastion will use only pubkey authentication.
- Here comes the problem: before running playbooks we need to establish ssh session to the bastion host, because there must be already an ssh session opened to be able to reuse it for multiple hosts in a play when fork>1 is set in ansible.cfg.
Of course there are several options we can use, like we can ssh to bastion first and then run playbooks reusing the ssh session. Or we can run a playbook with a single host first to establish an ssh session to bastion and reuse it further within allowed time interval. But it requires some additional unwanted actions.
So we are looking for a more elegant way to achieve what we want. Does anybody have any ideas? Or maybe somebody can share his own experience on using MFA with ansible?
I can provide more information about the configuration we are using if needed.