We are forced to use CyberArc PSM Proxy which describes itself as a “ssh proxy”. For what I know this is not a jump host / bastion host solution ! I can not access my target servers directly, the only open ssh port is that of the PSM Proxy, the proxy forwards to the target server and logs me in with a privileged user (instead of my own, which I only need to authenticate with the proxy)
I can’t get Ansible to work through this psmp and therefore made several attempts. I read several blogs that describe how to use bastion / jump hosts with Ansible but PSM proxy obviously does not work this way.
I am able to trigger the execution of “uname -a” by using this command with direct ssh:
ssh myuser@nameofprivilegeduserontargetserver@targetserver.srv.domain@nameofsshproxy.srv.domain “uname -a”
My assumption is that Ansible basically does the same, given that I was passing in the correct information.
When present Ansible a compliant hostname it is also able to run the command successfully:
ansible -vvv all -i ‘myuser@nameofprivilegeduserontargetserver@targetserver.srv.domain@nameofsshproxy.srv.domain,’ -a “uname -a” -u myuser --ask-pass
But this creates the problem that all my inventory files would need to contain this strange syntax and this messes up my hosts / groups concept (I need to be able to tell Ansible “do task x on server group webservers, targetserver.srv.domain being the first of my webservers”)
An additional problem is that instead of “myuser” all my colleagues would need to run the same with “theiruser1”, “theiruser2” and so on and this would make the list of hosts grow considerably list servers multiple times which is ineffective.
The vvv output tells me this (extract):
Unable to parse address from hostname, leaving unchanged: Not a valid network hostname: myuser@nameofprivilegeduserontargetserver@targetserver.srv.domain@nameofsshproxy.srv.domain
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/commands/command.py
<myuser@nameofprivilegeduserontargetserver@targetserver.srv.domain@nameofsshproxy.srv.domain> SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=myuser -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/b5ad891d41 myuser@nameofprivilegeduserontargetserver@targetserver.srv.domain@nameofsshproxy.srv.domain ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo /tmp/ansible-tmp-1548258807.51-5121098331994” && echo ansible-tmp-1548258807.51-5121098331994=“echo /tmp/ansible-tmp-1548258807.51-5121098331994” ) && sleep 0’“'”‘’
I had a look at the source of the ssh connection plugin (but I am certainly no Python guy) and mitogen but found no way to configure them in order to have Ansible use the crude connection syntax I need. I even thought about telling Ansible to use a different ssh binary but failed in creating a concept of what this binary / bash script would need to do in order to be compatible with Ansibles demands.
(By the way: in a previous attempt I asked a comparable question in the OpenSSH mailing list and didn’t get a definitive answer how this can be solved with OpenSSH config file means: https://lists.gt.net/openssh/dev/70081)