search

puppetlabs / bolt

Bolt is an open source orchestration tool that automates the manual work it takes to maintain your infrastructure on an as-needed basis or as part of a greater orchestration workflow. It can be installed on your local workstation and connects directly to remote nodes with SSH or WinRM, so you are not required to install any agent software.
https://puppet.com/docs/bolt/latest/bolt.html
Apache License 2.0
499 stars 225 forks source link

Ability for Bolt to use ControlPath sockets #1335

Open gcoxmoz opened 5 years ago

gcoxmoz commented 5 years ago

Possibly see-also #1252

Use Case

Many of our servers have Multifactor Authentication - to connect, you have to have the right public key, and also pass a keyboard-interactive challenge by inputting a TOTP code. This fails with Bolt (unsurprisingly) because there isn't really a chance to perform the TOTP dance.

Describe the Solution You Would Like

Most of us have robust ~/.ssh/config stanzas that include:

ControlPath ~/.ssh/CM_socket/%r@%h:%p
ControlPersist 30m
ControlMaster auto

That means we MFA into a server, and then have 30 minutes of unimpeded access. So we loop through the servers and type codes to establish access, then do loops that do the real work. Basically, I'd like Bolt to have/use/inherit the ControlPath / ControlMaster ssh config directives and thus shuttle its commands over an already-established ssh connection that I made before it.

A super-wishlist would be for bolt to help me do that initial setup:

# loop through the puppetmasters and establish a controlmaster setup:
bolt command run --targets puppetmasters --serially --interactive-login "date"
# ^ this would be the equivalent of `for i in host1 host2 ; do ssh $i date ; done`
# deliberately slow and serialized, and setting up the ControlPath sockets before maintenance
#
# now do the real work during the maintenance window
bolt command run --targets puppetmasters "yum upgrade puppetserver"

Describe Alternatives You've Considered

Disabling MFA is not acceptable, per our Security group. Our users usually have 3 ways of working: suffer with entering codes, tmux/some windowing system to stay connected, and the ControlPath way. Which is effectively "this is all we've found that works."

nmaludy commented 5 years ago

Bolt, currently, uses Ruby's Net::SSH implementation for SSH connections. It appears that's been a feature request of that library for a while: https://github.com/net-ssh/net-ssh/issues/443

Maybe if Bolt was able to use the control node's native SSH client then this would be possible.

github-actions[bot] commented 2 years ago

This issue has not had activity for 60 days and will be marked as stale. If this issue continues to have no activity for 7 days, it will be closed.

gcoxmoz commented 2 years ago

"I can do this all day."

github-actions[bot] commented 2 years ago

This issue has not had activity for 60 days and will be marked as stale. If this issue continues to have no activity for 7 days, it will be closed.

gcoxmoz commented 2 years ago

Bad bot.

github-actions[bot] commented 1 year ago

This issue has not had activity for 60 days and will be marked as stale. If this issue continues to have no activity for 7 days, it will be closed.

gcoxmoz commented 1 year ago

Bad bot bad bot, whatchoo gonna do, whatchoo gonna do when they PR you