bolt icon indicating copy to clipboard operation
bolt copied to clipboard

Published 20 hours ago verified publisher icon puppetlabs

Ability for Bolt to use ControlPath sockets

Open gcoxmoz opened this issue 5 years ago • 7 comments

Possibly see-also #1252

Use Case

Many of our servers have Multifactor Authentication - to connect, you have to have the right public key, and also pass a keyboard-interactive challenge by inputting a TOTP code. This fails with Bolt (unsurprisingly) because there isn't really a chance to perform the TOTP dance.

Describe the Solution You Would Like

Most of us have robust ~/.ssh/config stanzas that include:

ControlPath ~/.ssh/CM_socket/%r@%h:%p
ControlPersist 30m
ControlMaster auto

That means we MFA into a server, and then have 30 minutes of unimpeded access. So we loop through the servers and type codes to establish access, then do loops that do the real work. Basically, I'd like Bolt to have/use/inherit the ControlPath / ControlMaster ssh config directives and thus shuttle its commands over an already-established ssh connection that I made before it.

A super-wishlist would be for bolt to help me do that initial setup:

# loop through the puppetmasters and establish a controlmaster setup:
bolt command run --targets puppetmasters --serially --interactive-login "date"
# ^ this would be the equivalent of `for i in host1 host2 ; do ssh $i date ; done`
# deliberately slow and serialized, and setting up the ControlPath sockets before maintenance
#
# now do the real work during the maintenance window
bolt command run --targets puppetmasters "yum upgrade puppetserver"

Describe Alternatives You've Considered

Disabling MFA is not acceptable, per our Security group. Our users usually have 3 ways of working: suffer with entering codes, tmux/some windowing system to stay connected, and the ControlPath way. Which is effectively "this is all we've found that works."

gcoxmoz avatar Oct 18 '19 05:10 gcoxmoz

Bolt, currently, uses Ruby's Net::SSH implementation for SSH connections. It appears that's been a feature request of that library for a while: https://github.com/net-ssh/net-ssh/issues/443

Maybe if Bolt was able to use the control node's native SSH client then this would be possible.

nmaludy avatar Oct 18 '19 22:10 nmaludy

This issue has not had activity for 60 days and will be marked as stale. If this issue continues to have no activity for 7 days, it will be closed.

github-actions[bot] avatar Jul 29 '22 01:07 github-actions[bot]

"I can do this all day."

gcoxmoz avatar Jul 29 '22 03:07 gcoxmoz

This issue has not had activity for 60 days and will be marked as stale. If this issue continues to have no activity for 7 days, it will be closed.

github-actions[bot] avatar Sep 28 '22 00:09 github-actions[bot]

Bad bot.

gcoxmoz avatar Sep 28 '22 00:09 gcoxmoz

This issue has not had activity for 60 days and will be marked as stale. If this issue continues to have no activity for 7 days, it will be closed.

github-actions[bot] avatar Nov 29 '22 00:11 github-actions[bot]

Bad bot bad bot, whatchoo gonna do, whatchoo gonna do when they PR you

gcoxmoz avatar Nov 29 '22 00:11 gcoxmoz