Ansible, SSH jump hosts and multiple private keys

Today I ran into a situation where I was using a bastion to access instances in a private OpenStack tenancy. I wanted to use Ansible to manage these hosts, but I also wanted to do the development work on my laptop, rather than the bastion.

The problem I had was this: I wanted Ansible to use my private key on my laptop (host A) to access the jump host (host B), but then I wanted to use a private key of a user on the jump host to access the target.

The solution came from this Github post: https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b

There are two pre-requisites for the jump host:

  1. The nmap-ncat package must be installed.
  2. The AllowAgentForwarding option in /etc/ssh/sshd_config must be “Yes”

Once I had nc installed on host B, I then set the following variable in my group_vars for the hosts I wanted to manage:

ansible_ssh_common_args: '-o ProxyCommand="ssh -o ''ForwardAgent yes'' centos@192.168.0.97 ''ssh-add && nc %h %p''"'

(For more information about jump hosts and Ansible, see the FAQ).

This setup performs the following steps:

  1. Exposes the SSH agent running on host A (my laptop) to host B through the ForwardAgent yes option. The SSH agent is responsible for keeping your private keyfile in memory so you don’t need to enter your password all the time.
  2. We execute ssh-add on host B which adds the private keys for the centos user on host B to the forwarded SSH agent. At this time the keys for the centos user on host B are now available on my laptop in my SSH agent.
  3. nc then establishes a connection to SSH on the target (host C), and the SSH client on my laptop can now negotiate the final connection as the key from host B is available in the agent.

We now have a connection to host C, and:

[agoossen@agoossen cf-ansible]$ ansible -i hosts/cloudforms all -m ping -f 1
10.0.0.19.nip.io | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}
10.0.0.16.nip.io | SUCCESS => {
    "changed": false, 
    "ping": "pong"
}

Presto!

 

Leave a Reply

Your email address will not be published. Required fields are marked *