Hey Everyone,
I’ve been having difficulty getting my ansible playbooks to route through a bastion host (without ssh keys). For testing I have a cisco virl (virtual internet routing lab) simulation up and running with virtualized network devices, and the bastion host should be the server that is running the simulations.
I can confirm that, after defining an ssh.cfg file, I can ssh into the virtualized network device via the command “ssh -F ssh.cfg xxx.xxx.1.xxx -v” just fine, and first input the password for the bastion host and then input the password to the cisco virtualized device. But each time I try and run the playbook I get either a timeout or “ssh protocol banner cant be read”. How can I confirm ansible is trying to connect to the bastion host first? I never see that in the terminal stdout, even with -vvvvvv it never shows it connecting to the bastion host but just to the device defined in hosts.virl.
Command to run playbook: ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook playbook.yml -i hosts.virl -k -vvvvvv
Below are my files (playbook, host, ansible.cfg and ssh.cfg + groupvars/all.yml and groupvars/ios.yml).
playbook.yml
`
Hi @Emil Safonov
Did you resolve the issue??
If yes can you please help me here I am also facing the same issue.
Thanks,
D.Venu.
Hey Venu,
I was able to resolve the issue using a linux module called sshpass. I’ll show below:
hosts.through_bastion
[ios]
10...1
10...2
[ios:vars]
ansible_user=
ansible_password=
ansible_become_pass=
ansible_network_os=ios
network_os=ios
ansible_ssh_common_args=" -o ProxyCommand="sshpass -p ‘<password_to_bastion>’ ssh -q -W %h:%p <bastion_username>@<bastion_ip_or_dns""
So whats happening here is we are using ansible_ssh_common_args=“the above string”. That means ansible will take that aboove string and instead of performing “ssh username@hostname” it will perform “sshpass -p etc.” as its ssh command.
The sshpass module allows you to input a password that will act on the bastion host, then proxy all commands through that instead of just using ssh. This is the only way I could get it to authenticate WITHOUT an ssh key. One problem you might see is exposing your usernames/passwords in these files, however what you can do is use ansible vault to save credentials within your group_vars/all.yml file, set them to a variable and then use those vaulted credentials during playbook execution.
Hope this helps!