jump through two bastion hosts?

erichymowitz · February 19, 2020, 8:06pm

So I’ve got a host that I need to jump through two bastion hosts to get to:

Ansible -----> bastion_1 -----> bastion_2 -----> target

I can use ansible to get to bastion_2 by setting up a hostvar:

ansible_ssh_common_args: -o “ProxyCommand=ssh -q -W %h:%p {{local_user_account}}@bastion_1”

…and that works correctly.

I tried setting up a similar hostvar for target:

ansible_ssh_common_args: -o “ProxyCommand=ssh -q -W %h:%p {{local_user_account}}@bastion_2”

…but that doesn’t work, because ansible is trying to ssh directly to bastion_2 and not caring about the hostvar set up to access bastion_2.

I have a workaround. I can set up an entry in my ~/.ssh/config file

Host bastion_2
ProxyCommand ssh -q -W %h:%p bastion_1

… and then ansible works, because ansible tells ssh to go through bastion_2, and ssh figures its own way there.

But is there a way to do this just within ansible, without using .ssh/config ?

–EbH

PS – my ssh is too old for the -J / ProxyJump option, which I think would solve my problem.

Kai_Stian_Olstad · February 21, 2020, 11:31pm

There is nothing stopping you from adding -o ProxyCommand in the ssh inside
the ProxyCommand.

So something like this might work

ansible_ssh_common_args: -o "ProxyCommand=ssh -o 'ProxyCommand=ssh -q -W %h:%p user@bastion_1' -q -W %h:%p user@bastion_2"

You may need to play around with the single and double quotes and escaping some of them.

Topic		Replies	Views
How to use jump/gateway hosts Ansible Project	12	1	October 5, 2013
Ansible provisioning through bastion SSH host Ansible Project aws	2	0	July 19, 2015
Configuring Ansible to run play books through a bastion host on aws/ec2 Ansible Project aws	27	0	December 26, 2014
SSHing through multiple bastions Ansible Project ubuntu	0	3	June 18, 2014
Ansible Jump thru Bastion host Ansible Project	2	1	March 12, 2017