Unsupported feature - ansible through a Jump Server

Archives Ansible Developer
1

Hi,

I have opened a topic in the ansible project group in order to see if is it possible to get my objective using ansible.

The diagram is the following:

MyComputer (executes ansible) → SSH user1/password1 connection (not paswordless key) → Jump Server → SSH user2/password2 connection (not paswordless key) → Destination host.

For me is mandatory that all connections to be stablished with username/password because what I’m trying to do is automatize the ssh-key sharing between all hosts and to perform that, I need to send the keys (using the copy module).

Is there any way/trick to execute ssh on a second machine after a jump server and copy/retrieve files from there?

Is it a use case you have considered?

Thanks a lot.

2

Hi Oscar,

This is not ansible specific but I believe that you can achieve what you want using SSH connection sharing and proxies.

I haven’t tested this exact scenario but use something quite similar with key authentication via a jump-server. In short:

  1. in your inventory configure your destination host to be proxied via the jump server.
  2. in your ssh_config, configure connection sharing for the jump server so it will re-use an existing connection
  3. connect to the jump server using ssh, login with your password
  4. run ansible, it will use the shared connection to the jump server

1) in your inventory configure your destination host to be proxied via the jump server.

In your inventory for your destination host(s) (or group) set ansible_ssh_common_args 1 to set ProxyCommand 2. e.g.

ansible_ssh_common_args=“-o ProxyCommand=‘ssh -W %h:%p jump-server’”

This means that when ansible makes a ssh connection to your destination host it will add this into the SSH command line. Instructing ssh to first connect to your jump-server and send the traffic via the jump-server.

I believe you can also set the password for your destination server in then inventory by setting ansible_ssh_pass e.g.

ansible_ssh_pass=myPassword

Note the warning from 1 that you really should use vaults for storing the password.

2) in your ssh_config, configure connection sharing for the jump server so it will re-use an existing connection

In your ~/.ssh/config file add the following host block for your jump-server to enable connection reuse

host jump-server
ControlMaster auto
ControlPath ~/.ssh/ssh_mux_%h_%p_%r

See [3] for more details on this, but basically it means that SSH will only make one connection to the jump server and multiplex all your ssh connections down this one physical connection without requiring re-authentication.

3) connect to the jump server using ssh, login with your password

From a terminal, ssh directly to the jump server and login with your username & password. Run a command like top just so the connection remains active

ssh jump-server top

This is just to establish the shared connection so you can authenticate interactively. Keeping this connection open means that ansible does not have to authenticate when connecting via the jump server.

4) run ansible, it will use the shared connection to the jump server

Run ansible as normal, whenever it goes to connect to your destination server, SSH will actually proxy via the jump-server using the shared connection.

[3] https://en.m.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing

3

Try this
http://docs.ansible.com/ansible/latest/faq.html#how-do-i-configure-a-jump-host-to-access-servers-that-i-have-no-direct-access-to