Ansible: Proxy using ProxyCommand

https://stackoverflow.com/questions/28553307/ansible-using-custom-ssh-config-file

and https://stackoverflow.com/questions/38651791/is-it-possible-to-add-ansible-ssh-common-args-in-inventory-file

https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/

Will restarting sshd disconnect you?

Say you’re on a bastion host and want to restart sshd with:

 

Is it going to disconnect you?

No.

What you will see if you’re tailing /var/log/auth.log is:

https://serverfault.com/questions/141205/restart-ssh-on-a-machine-where-ssh-is-the-only-mode-of-access

 

Ansible: running through a bastion host

E.g. in inventory create:

ssh-config.yml

with:

ansible_ssh_common_args: "-o ProxyCommand='ssh -W %h:%p {{ AWS_IAM_ID }}@hostname' -o ControlMaster=auto -o ControlPersist=30m -o StrictHostKeyChecking=no"

Then make sure you’ve got both your private keys (bastion and destination) added via ssh-add.

E.g. ssh-add ~/.ssh/id_rsa

etc…

Debugging

  1. use ansible -vvvv to get ssh output
  2. run this ssh command
  3. I was getting

ec2-user@<ip>: Permission denied (publickey).

4. ssh to bastion and check you can access that host

5. on the bastion check the sshd logs

tail -f /var/log/auth.log

which revealed nothing.

i.e. the first line shows the successful ssh connection to the jumpbox. The second shows the disconnect.

Note: setting sshd logging to verbose did not help. e.g.

6. checking the destination box

Note this had a different sshd log at:

/var/log/secure

A successful connection (i.e. directly from the bastion host) would show:

Accepted publickey for ec2-user

but via the proxy command I’d get:

Connection closed by <bastion> [preauth]