9

In my current environment, I have all my Linux servers only accessible through a bastion host, which has MFA enabled.

I've managed to get Ansible to successfully talk to servers through the bastion, the only problem is that it establishes a new connection to the bastion for each host, meaning I have to enter as many MFA keys as I have servers. Bad times. :(

I've tried messing around with stuff like this in my ssh config to try to get multiplexing working:

Host bastion
  ControlMaster auto
  ControlPath ~/.ssh/ansible-%r@%h:%p
  ControlPersist 5m

Unfortunately it doesn't seem to do it. Anyone got some tips on how I can stop Ansible re-establishing its connection through my bastion host for every host it touches?

Thanks!

Paul Kirby
  • 191
  • 3
  • Probably already occurred to you, but... If your bastion host allows for regular login access rather than just packet forwarding, and your ansible config doesn't contain a huge volume of files, you could try just running your config directly from the bastion. – Parthian Shot Feb 29 '16 at 21:42
  • Not necessarily from the bastion host but it could be any host in the same environment. We have dedicated Ansible control hosts. This ensures users have no weird Ansible config or unsupported Ansible version running. Also this improves playbook speed by a lot. – udondan Mar 01 '16 at 04:00
  • (I don't know what is MFA) Have you enable `ForwardAgent` in your ssh configuration of your workstation (not the bastion) – Baptiste Mille-Mathias Aug 21 '16 at 18:05

1 Answers1

1

I just stumbled over this blog post on running Ansible with a bastion host.

Apparently you need add the bastion host to the control host ssh_config:

Host 10.10.10.*
  ProxyCommand ssh -W %h:%p bastion.example.com
  IdentityFile ~/.ssh/private_key.pem

Host bastion.example.com
  Hostname bastion.example.com
  User ubuntu
  IdentityFile ~/.ssh/private_key.pem
  ControlMaster auto
  ControlPath ~/.ssh/ansible-%r@%h:%p
  ControlPersist 5m

Edit the ssh_args in in ansible.cfg:

[ssh_connection]
ssh_args = -F ./ssh.cfg -o ControlMaster=auto -o ControlPersist=30m control_path = ~/.ssh/ansible-%%r@%%h:%%p

That should cover up the bastion part of the configuration. For MFA part some user in this github issue claims that it is possible to use an ssh session in Ansible opened outside of Ansible.

I open up the initial connection to the host which has 2FA, then in another window run something like:

ansible-playbook thing.yml --ssh-common-args='-o ControlPath=~/.ssh/connshare'

I don't have an bastion host setup at hand but I think this strategy is worth a try.

Henrik Pingel
  • 8,676
  • 2
  • 24
  • 38