E.g. in inventory
create:
ssh-config.yml
with:
ansible_ssh_common_args: "-o ProxyCommand='ssh -W %h:%p {{ AWS_IAM_ID }}@hostname' -o ControlMaster=auto -o ControlPersist=30m -o StrictHostKeyChecking=no"
Then make sure you’ve got both your private keys (bastion and destination) added via ssh-add
.
E.g. ssh-add ~/.ssh/id_rsa
etc…
Debugging
- use
ansible -vvvv
to get ssh output - run this ssh command
- I was getting
ec2-user@<ip>: Permission denied (publickey).
4. ssh to bastion and check you can access that host
5. on the bastion check the sshd logs
tail -f /var/log/auth.log
which revealed nothing.
1 2 |
Oct 24 13:22:27 0 systemd-logind[1268]: New session 61400 of user snowcrash. Oct 24 13:22:28 0 sshd[23318]: Received disconnect from <my ip> port 61226:11: disconnected by user |
i.e. the first line shows the successful ssh connection to the jumpbox. The second shows the disconnect.
Note: setting sshd logging to verbose did not help. e.g.
1 2 3 |
Oct 24 13:36:19 0 systemd-logind[1268]: New session 61405 of user snowcrash. Oct 24 13:36:19 0 sshd[9788]: User child is on pid 9949 Oct 24 13:36:19 0 sshd[9949]: Received disconnect from <my ip> port 61404:11: disconnected by user |
6. checking the destination box
Note this had a different sshd log at:
/var/log/secure
A successful connection (i.e. directly from the bastion host) would show:
Accepted publickey for ec2-user
but via the proxy command I’d get:
Connection closed by <bastion> [preauth]