Various improvements

[selivan]

Before #2 This one works, but it's ugly.

[cselaru]

i don't know if the project is still alive, but i added the posibility to use a jumphost and different usernames, as in my setup, ansible runs in a pipeline with a non personal account (NPA), but i can connect to the hosts with my own username. If you want, i can create a PR to merge it back.

[selivan]

@cselaru Alive, not actively developed because now I prefer script that generates ssh config from ansible inventory, leaving custom entries untouched. Someday I will find time to make it less ugly and put on github.

I also use jumphost, I setup it using ansible variables magic, so ansible-ssh should works with that without modifications: https://selivan.github.io/2020/10/30/ansible-ssh-bastion-host-with-variables.html

I would be happy to see both features(jump host and NPA) in separate PRs, I will look if I can merge them.

[cselaru]

i cannot use ansible variables in my setup, to configure a jumphost, because playbooks run in Ansible Tower and there they don't need a jumphost. i only need the jumphost when i try to connect from local laptop, so i would prefer to keep these setting separate from ansible. Your reply gave me some improvement ideas so, first, i will work on that and then do the PRs. Thanks!

[GamerGun]

We maintain many repositories with customer specific playbooks and host data, so ansible-ssh really helps us logging in on the right customer system if needed, but also have multiple cases where ssh.config has been configured for bastions / jump hosts. So i for one would be very interested in a solution to use that info from ssh.config

[selivan]

@GamerGun Could you show your ansible configuration so that I understand how you use the jump host? There are several ways to do that.

I am not much using ansible-ssh now, I switched to generating .ssh/config from ansible inventory using project-specific prefixes. But I can look into that option.

[GamerGun]

Sure!

ansible.cfg

[defaults]
retry_files_enabled = False
roles_path=./roles

[ssh_connection]
ssh_args = -F ssh.config -vv

ssh.config

Host staging_bastion
    User            gamergun
    HostName        6.7.8.9.0
    ControlMaster   auto
    ControlPath     ~/.ssh/ansible-%r@%h:%p
    ControlPersist  5m
    StrictHostKeyChecking  no

Host production_bastion
    User            gamergun
    HostName        1.2.3.4.5
    ControlMaster   auto
    ControlPath     ~/.ssh/ansible-%r@%h:%p
    StrictHostKeyChecking  no
    ControlPersist  5m

Host 172.17.*
    ProxyCommand           ssh -W %h:%p staging_bastion -F ./ssh.config
    StrictHostKeyChecking  no
    User                   gamergun

Host 172.16.*
    ProxyCommand           ssh -W %h:%p production_bastion -F ./ssh.config
    StrictHostKeyChecking  no
    User                   gamergun

So manually we do for example; ssh -F ssh.config 172.16.50.105

[selivan]

@GamerGun

Could you please also post output of ansible --version and ansible-config dump | grep -i ssh (excluding private parts)?

I can not get ssh_agrs from [ssh_connection] in ansible-config dump with my ansible 2.10

[GamerGun]

@selivan Sure thing Ansible is installed locally with brew (Mac)

ansible 2.10.6
  config file = /Users/tomextel/git/ansible-playbooks-uniface/ansible.cfg
  configured module search path = ['/Users/tomextel/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/Cellar/ansible/3.0.0/libexec/lib/python3.9/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.9.2 (default, Feb 24 2021, 13:26:09) [Clang 12.0.0 (clang-1200.0.32.29)]

The config dump

ANSIBLE_SSH_ARGS(/Users/gamergun/git/ansible-playbooks-customer/ansible.cfg) = -F ssh.config
ANSIBLE_SSH_CONTROL_PATH(default) = None
ANSIBLE_SSH_CONTROL_PATH_DIR(default) = ~/.ansible/cp
ANSIBLE_SSH_EXECUTABLE(default) = ssh
ANSIBLE_SSH_RETRIES(default) = 0
DEFAULT_SCP_IF_SSH(default) = smart
DEFAULT_SSH_TRANSFER_METHOD(default) = None
NETCONF_SSH_CONFIG(default) = None

[GamerGun]

Although i'm a bit confused, just tried ansible-ssh on this customer and that seemed to work with a jumphost?

./ansible-ssh stg-jira
ssh_args:  -F ssh.config
ssh_executable:  ssh
ansible_host: 1.2.3.4
ansible_user: gamergun
ansible_port:
ansible_ssh_private_key_file:
ansible_ssh_common_args:
ansible_ssh_extra_args:
result command: ssh gamergun@1.2.3.4 -F ssh.config
Last login: Fri Mar  5 10:00:27 2021 from xxx.eu-west-1.compute.internal

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[gamergun@ip-1-2-3-4 ~]$

There is no way to connect to that IP directly (1.2.3.4 is a 10. ip) - can't ping or ssh to it - so this must have gone through the jumphost. The "result command" confirms that.

So i wonder in which case it did fail for me recently ...

[selivan]

@GamerGun

ANSIBLE_SSH_ARGS(/Users/gamergun/git/ansible-playbooks-customer/ansible.cfg) = -F ssh.config

Looks like it works in your case, because ansible-ssh utilizes ANSIBLE_SSH_ARGS.

[selivan]

@cselaru Check out the new version, now it can render jinja templates inside variables if present. May be that will resolve your using jumphost issue.