Does OpenSSH support multihop login?

ssh ansible openssh ssh-tunnel

Solution 1:

I do not know how Ansible uses OpenSSH.

But OpenSSH itself supports "multihop logins".

Since OpenSSH 7.3, you can use -J (jump) switch like:

ssh -J [email protected] [email protected]

The -J is an equivalent of ProxyJump directive:

ssh -o [email protected] [email protected]

Note that with file transfer tools, like scp and sftp, the -J switch is supported since 8.0 only. With older versions (but at least 7.3), use ProxyJump. See How can I download a file from a host I can only SSH to through another host?

Also note that the versions refer to local versions of OpenSSH. A remote version of OpenSSH is not relevant.

As @GordonDavisson commented, with older versions (but at least 5.4), you can use ProxyCommand directive and -W switch:

ssh -o ProxyCommand="ssh -W %h:%p [email protected]" [email protected]

With even older versions, you can use nc command instead of the -W:

ssh -o ProxyCommand="ssh user2@%h nc host2.example.com 22" \
    -o HostKeyAlias=host2.example.com \
    host1.example.com

All the above options are covered in more details in Wikibooks article OpenSSH/Cookbook/Proxies and Jump Hosts.

Another options is to use port forwarding (-L switch). But that involves two ssh instances. I'm not sure if that's possible with Ansible.

Solution 2:

For older Ansible versions you had to do it in the general SSH config as described in Martin Prikryls answer. New versions have Ansible specific config as described in the general FAQ

How do I configure a jump host to access servers that I have no direct access to?

You can set a ProxyCommand in the ansible_ssh_common_args inventory variable. Any arguments specified in this variable are added to the sftp/scp/ssh command line when connecting to the relevant host(s). Consider the following inventory group:

[gatewayed] foo ansible_host=192.0.2.1 bar ansible_host=192.0.2.2

You can create group_vars/gatewayed.yml with the following contents:

ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q [email protected]"'

Ansible will append these arguments to the command line when trying to connect to any hosts in the group gatewayed. (These arguments are used in addition to any ssh_args from ansible.cfg, so you do not need to repeat global ControlPersist settings in ansible_ssh_common_args.)

Note that ssh -W is available only with OpenSSH 5.4 or later. With older versions, it’s necessary to execute nc %h:%p or some equivalent command on the bastion host.

With earlier versions of Ansible, it was necessary to configure a suitable ProxyCommand for one or more hosts in ~/.ssh/config, or globally by setting ssh_args in ansible.cfg.

This way you have a very Ansible-esque way of setting up SSH bastion hosts only where needed, together with any other special SSH settings (like keys, users, etc).

Related

How do you show hidden system folders in Windows 7?
Recovering files when Windows 7 MBR has been corrupted
What is the difference between virtual memory and built-in memory (RAM)?
Make Chrome always execute with flags, for eg., directly opening an HTML file
Driver locked memory on a non-virtual machine
Unintentional mouse movements, am I paranoid?
Robocopy command to copy updated files and long path names
Can I use an onboard and pci vga simultaneously?
How do I fix broken .exe file association in Windows Vista? [duplicate]
Auto login Windows Server 2012
How do I check if a 2-track WAV file is "really" in stereo?
zsh (z shell) numpad/numlock doesn't work