terraform-aws-openshift icon indicating copy to clipboard operation
terraform-aws-openshift copied to clipboard

Published 20 hours ago verified publisher icon dwmkerr

Use a templated sshconfig using SSH ProxyJump instead?

Open zoobab opened this issue 6 years ago • 5 comments

Hi,

I just make a simple sshconfig file from a template which uses the ProxyJump feature of SSH:

https://wiki.gentoo.org/wiki/SSH_jump_host

The hardcoded sshconfig file looks like this:

$ cat sshconfig
Host *
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null
    LogLevel QUIET

Host bastion
    Hostname 100.24.1.3
    User ec2-user
    IdentityFile /home/centos/.ssh/id_rsa
    ForwardAgent yes

Host master
    Hostname master.openshift.local
    ProxyJump bastion
    User ec2-user

Host node1
    Hostname node1.openshift.local
    ProxyJump bastion
    User ec2-user

Host node2
    Hostname node2.openshift.local
    ProxyJump bastion
    User ec2-user

To ssh to the master, bastion, node1, node2:

$ ssh -F sshconfig master
$ ssh -F sshconfig bastion
$ ssh -F sshconfig node1
$ ssh -F sshconfig node2

To what I can figure out, the "ForwardAgent yes" seems to do the job to add automatically the key to the ssh-agent, which I found fragile right now.

The 2 items to template are the Hostname and the location of the SSH key.

What do you think?

Can I make a PR to template that dynamically and replace parts of the makefile?

zoobab avatar Nov 06 '18 15:11 zoobab

The IdentityFile can even be hardcoded to IdentityFile ~/.ssh/id_rsa, it works with the reference to HOME as ~.

So the only think that needs to be templated is the bastion-public_ip.

zoobab avatar Nov 06 '18 15:11 zoobab

I would also investigate to run/rewrite the shell scripts as ansible roles, and use this feature:

https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-configure-a-jump-host-to-access-servers-that-i-have-no-direct-access-to

zoobab avatar Nov 06 '18 16:11 zoobab

Hi @zoobab sounds great! If you want to go for it with a PR I'd love to take a look. I'd take a look myself but am slammed for the next couple of weeks.

dwmkerr avatar Nov 09 '18 12:11 dwmkerr

I will make a branch with my changes, but I have a problem to run ansible as root on the bastion, as the keyforwarding does not seem to work for the root user, even with sudo -E .

zoobab avatar Nov 12 '18 10:11 zoobab

I have made some notes here:

https://github.com/zoobab/terraform-aws-openshift/blob/master/sshjump.md

Will try to make a branch with a demo, but I need to find time as I am on the release-3.9 branch. I have to solve the sudo problem, probably by exporting the ssh-agent file between the ec2-user and root.

zoobab avatar Nov 22 '18 14:11 zoobab