DEVHIDE
Login Or Sign up

Access to jumpbox as normal user and change to root user in ansible

411 Views Asked by At

Here is my situation. I want to access a server through a jumpbox/bastion host. so, I will login as normal user in jumpbox and then change user to root after that login to remote server using root. I dont have direct access to root in jumpbox.

$ ssh user@jumpbox
$ user@jumpbox:~# su - root
Enter Password:
$ root@jumpbox:~/ ssh root@remoteserver
Enter Password:
$ root@remoteserver:~/

Above is the manual workflow. I want to achieve this in ansible. I have seen something like this.

ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user@jumpbox"'

This doesnot work when we need to switch to root and login to remote server.

ssh ansible ansible-inventory bastion-host
Original Q&A
1

There are 1 best solutions below

0
On

There are a few things to unpack here:

General Design / Issue:

This isn't an Ansible issue, it's an ssh issue/proxy misconfiguration.

A bastion host/ssh proxy isn't meant to be logged into and have commands ran directly on it interactively (like su - root, enter password, then ssh...). That's not really a bastion, that's just a server you're logging into and running commands on. It's not an actual ssh proxy/bastion/jump role. At that point you might as well just run Ansible on the host.

That's why things like ProxyJump and ProxyCommand aren't working. They are designed to work with ssh proxies that are configured as ssh proxies (bastions).

Running Ansible Tasks as Root:

Ansible can run with sudo during task execution (it's called "become" in Ansible lingo), so you should never need to SSH as the literal root user with Ansible (shouldn't ssh as root ever really).

Answering the question:

There are a lot of workarounds for this, but the straightforward answer here is to configure the jump host as a proper bastion and your issue will go away. An example...

  1. As the bastion "user", create an ssh key pair, or use an existing one.

  2. On the bastion, edit the users ~/.ssh/config file to access the target server with the private key and desired user.

    EXAMPLE user@bastion's ~/.ssh/config (I cringe seeing root here)... 

    Host remote-server
 User root
 IdentityFile ~/.ssh/my-private-key

  3. Add the public key created in step 1 to the target servers ~/.ssh/authorized_keys file for the user you're logging in as.

After that type of config, your jump host is working as a regular ssh proxy. You can then use ProxyCommand or ProxyJump as you had tried to originally without issue.

Related Questions in SSH

Related Questions in ANSIBLE

Related Questions in ANSIBLE-INVENTORY

Related Questions in BASTION-HOST

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.