Feature #14630
open
Apply rules defines in ssh config
Description
I have a huge amount of hosts that i want to have enabled for remote execution but my foreman server does not have access to all of them directly. I have like different customer networks which are split and i have jump hosts to them.
So I'm using different kind of ssh keys for different servers and have some rules for proxy commands.
An example of my config could be like:
Host cus* wan*
ProxyCommand ssh admin@10.10.20.10 -A -t -W %h:%p
User root
IdentityFile ~/.ssh/id_cus
Host wao* mol*
ProxyCommand ssh admin@192.168.20.10 -A -t -W %h:%p
User root
IdentityFile ~/.ssh/id_wao
Would it be possible to have that rules applied for the ssh connection? And if not, what can i do besides bringing smart proxy's to every jumpserver that i have? (Which is also not possible for me because I'm not able to get a fresh ruby on all that machines and reinstalling is also not a solution for me. )
Updated by Stephen Benjamin about 8 years ago
- Category set to Smart Proxy - SSH
After we talked on IRC, I looked and it does look like the library we use (Net::SSH) supports it. It may actually be somewhat simple.
You could try to patch your smart proxy running on docker, it's a single line change.
There's a bit of code here that sets the SSH options:
https://github.com/theforeman/smart_proxy_remote_execution_ssh/blob/master/lib/smart_proxy_remote_execution_ssh/connector.rb#L135
If you insert this after line 136:
ssh_options[:config] = true
And restart the proxy, you can see if it works.
I think it should read the .ssh/config and apply your settings. Only a subset of options are supported, but ProxyCommand is one of them.
Updated by Stephen Benjamin about 8 years ago
Actually, we do read the .ssh/config, it's turned on by default in Net::SSH. No code changes required, so ignore the comment above.
If you have one in place for the foreman-proxy user (in ~foreman-proxy/.ssh/config), then we'll use it. There's a few caveats. We don't connect to the host name until the last resort, we try the IP address foreman knows about. So, my .ssh/config looks like this:
Host 192.168.121.217 ProxyCommand ssh root@192.168.121.1 nc %h %p
When the smart proxy tries to connect to 192.168.121.217, I can see it establishing the connection through netcat on 192.168.121.1 just fine.
The second issue I ran into was trying the commands you have there - the default security settings on my Fedora box don't seem to be allowing -W or something, it says "channel 0: open failed: administratively prohibited: open failed". Did you need to change some ssh security settings to allow proxy commands like that?