Ansible - Access through Bastion w/ MFA

ansible configuration-management bastion two-factor

Solution 1:

I just stumbled over this blog post on running Ansible with a bastion host.

Apparently you need add the bastion host to the control host ssh_config:

Host 10.10.10.*
  ProxyCommand ssh -W %h:%p bastion.example.com
  IdentityFile ~/.ssh/private_key.pem

Host bastion.example.com
  Hostname bastion.example.com
  User ubuntu
  IdentityFile ~/.ssh/private_key.pem
  ControlMaster auto
  ControlPath ~/.ssh/ansible-%r@%h:%p
  ControlPersist 5m

Edit the ssh_args in in ansible.cfg:

[ssh_connection]
ssh_args = -F ./ssh.cfg -o ControlMaster=auto -o ControlPersist=30m control_path = ~/.ssh/ansible-%%r@%%h:%%p

That should cover up the bastion part of the configuration. For MFA part some user in this github issue claims that it is possible to use an ssh session in Ansible opened outside of Ansible.

I open up the initial connection to the host which has 2FA, then in another window run something like:

ansible-playbook thing.yml --ssh-common-args='-o ControlPath=~/.ssh/connshare'

I don't have an bastion host setup at hand but I think this strategy is worth a try.

Related

Immutable Server model with Docker/Ansible vs. Ansible, Puppet, and Foreman in AWS?
How to use OpenSSH certificates on Windows?
Change task placement strategy of Amazon ECS Service
OpenBSD route via different gateways which have same IP but on different interfaces
ILO client for OSX
Amazon ECS Task fails with STOPPED (CannotPullContainerError: Error response from daem)
Unable to load memcache.so extension
Cannot bind to port, even though tcpview says it's not in use
Simple Multicast Design
Any options out there for kerberized ssh client on windows?
How does TCP Ping or Traceroute Work?
Cisco and Linux and Vlans