nixops icon indicating copy to clipboard operation
nixops copied to clipboard
verified publisher icon NixOS

Unable to connect via ssh jump host (NixOps 2.0.0)

Open sweber83 opened this issue 4 years ago • 2 comments

We are currently building a system, which requires the use of a jump host to connect to the different machines. We set up deployment.sshOptions to connect via the jump host using the -J option, like this:

deployment.sshOptions = [
  "-J JUMP_HOST_IP"
];

When trying to deploy to target-host using this configuration, we get the following error:

target-host> Only a single -J option is permitted (use commas to separate multiple jump hops)
target-host> could not connect to ‘root@TARGET_HOST_IP’, retrying in 1 seconds...

The message "Only a single -J option is permitted" implies that the option is passed multiple times, which either means a) nixops adds another -J option or b) nixops duplicates each option passed via deployment.sshOptions. I could not find a way for nixops to print out the SSH command line, so I'm kinda stuck here.

For now we'll configure the jump host via the user's SSH config.

Any help is appreciated!

sweber83 avatar Nov 01 '21 10:11 sweber83

Do you have ProxyJump in your ssh config?

Which plugin or targetEnv do you use?

To be sure, you could put a one-off ssh wrapper in PATH to print out the command line, something like

#!/bin/sh
echo "ssh" "$@" >&2
exec /nix/store/....../bin/ssh "$@"

roberth avatar Nov 24 '21 11:11 roberth

@roberth Thanks for having a look at this!

We don't use any plugin or targetEnv.

The trick with the ssh wrapper was really helpful. Here is the command line, which nixops produced, when I tried to deploy (public ip address redacted):

ssh -x [email protected] -S /run/user/1000/nixops-ssh-tmptnlmx_tv/master-socket -M -N -f -oNumberOfPasswordPrompts=3 -oServerAliveInterval=60 -oControlPersist=600 -C -J JUMP_HOST_IP -p 22 -o StrictHostKeyChecking=accept-new -i /run/user/1000/nixops-tmphz_a1ldb/id_nixops-applicationserver-primary -J JUMP_HOST_IP -p 22 -o StrictHostKeyChecking=accept-new -i /run/user/1000/nixops-tmphz_a1ldb/id_nixops-applicationserver-primary

So nixops somehow duplicated this part:

-J JUMP_HOST_IP -p 22 -o StrictHostKeyChecking=accept-new -i /run/user/1000/nixops-tmphz_a1ldb/id_nixops-applicationserver-primary

Edit: No ProxyJump directives in the ssh config.

sweber83 avatar Nov 24 '21 17:11 sweber83

@roberth I'll close this for now, as of 2.0.0-pre-7220cbd I can't reproduce the issue.

sweber83 avatar Sep 26 '22 15:09 sweber83