search

dwmkerr / terraform-aws-openshift

Create infrastructure with Terraform and AWS, install OpenShift. Party!
http://www.dwmkerr.com/get-up-and-running-with-openshift-on-aws
MIT License
170 stars 174 forks source link

Use a templated sshconfig using SSH ProxyJump instead? #67

Open zoobab opened 5 years ago

zoobab commented 5 years ago

Hi,

I just make a simple sshconfig file from a template which uses the ProxyJump feature of SSH:

https://wiki.gentoo.org/wiki/SSH_jump_host

The hardcoded sshconfig file looks like this:

$ cat sshconfig
Host *
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null
    LogLevel QUIET

Host bastion
    Hostname 100.24.1.3
    User ec2-user
    IdentityFile /home/centos/.ssh/id_rsa
    ForwardAgent yes

Host master
    Hostname master.openshift.local
    ProxyJump bastion
    User ec2-user

Host node1
    Hostname node1.openshift.local
    ProxyJump bastion
    User ec2-user

Host node2
    Hostname node2.openshift.local
    ProxyJump bastion
    User ec2-user

To ssh to the master, bastion, node1, node2:

$ ssh -F sshconfig master
$ ssh -F sshconfig bastion
$ ssh -F sshconfig node1
$ ssh -F sshconfig node2

To what I can figure out, the "ForwardAgent yes" seems to do the job to add automatically the key to the ssh-agent, which I found fragile right now.

The 2 items to template are the Hostname and the location of the SSH key.

What do you think?

Can I make a PR to template that dynamically and replace parts of the makefile?

zoobab commented 5 years ago

The IdentityFile can even be hardcoded to IdentityFile ~/.ssh/id_rsa, it works with the reference to HOME as ~.

So the only think that needs to be templated is the bastion-public_ip.

zoobab commented 5 years ago

I would also investigate to run/rewrite the shell scripts as ansible roles, and use this feature:

https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-configure-a-jump-host-to-access-servers-that-i-have-no-direct-access-to

dwmkerr commented 5 years ago

Hi @zoobab sounds great! If you want to go for it with a PR I'd love to take a look. I'd take a look myself but am slammed for the next couple of weeks.

zoobab commented 5 years ago

I will make a branch with my changes, but I have a problem to run ansible as root on the bastion, as the keyforwarding does not seem to work for the root user, even with sudo -E .

zoobab commented 5 years ago

I have made some notes here:

https://github.com/zoobab/terraform-aws-openshift/blob/master/sshjump.md

Will try to make a branch with a demo, but I need to find time as I am on the release-3.9 branch. I have to solve the sudo problem, probably by exporting the ssh-agent file between the ec2-user and root.