We are forced to use CyberArc PSM Proxy which describes itself as a "ssh
proxy". For what I know this is _not_ a jump host / bastion host solution !
I can not access my target servers directly, the only open ssh port is that
of the PSM Proxy, the proxy forwards to the target server and logs me in
with a privileged user (instead of my own, which I only need to
authenticate with the proxy)
I can't get Ansible to work through this psmp and therefore made several
attempts. I read several blogs that describe how to use bastion / jump
hosts with Ansible but PSM proxy obviously does not work this way.
I am able to trigger the execution of "uname -a" by using this command with
direct ssh:
ssh
myuser@[email protected][email protected]
"uname -a"
My assumption is that Ansible basically does the same, given that I was
passing in the correct information.
When present Ansible a compliant hostname it is also able to run the
command successfully:
ansible -vvv all -i
'myuser@[email protected][email protected],'
-a "uname -a" -u myuser --ask-pass
But this creates the problem that all my inventory files would need to
contain this strange syntax and this messes up my hosts / groups concept (I
need to be able to tell Ansible "do task x on server group webservers,
targetserver.srv.domain being the first of my webservers")
An additional problem is that instead of "myuser" all my colleagues would
need to run the same with "theiruser1", "theiruser2" and so on and this
would make the list of hosts grow considerably list servers multiple times
which is ineffective.
The vvv output tells me this (extract):
Unable to parse address from hostname, leaving unchanged: Not a valid
network hostname:
myuser@[email protected][email protected]
Using module file
/usr/lib/python2.7/dist-packages/ansible/modules/commands/command.py
<myuser@[email protected][email protected]>
SSH: EXEC sshpass -d12 ssh -C -o ControlMaster=auto -o ControlPersist=60s
-o StrictHostKeyChecking=no -o User=myuser -o ConnectTimeout=10 -o
ControlPath=/root/.ansible/cp/b5ad891d41
myuser@[email protected][email protected]
'/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo
/tmp/ansible-tmp-1548258807.51-5121098331994 `" && echo
ansible-tmp-1548258807.51-5121098331994="` echo
/tmp/ansible-tmp-1548258807.51-5121098331994 `" ) && sleep 0'"'"''
I had a look at the source of the ssh connection plugin (but I am certainly
no Python guy) and mitogen but found no way to configure them in order to
have Ansible use the crude connection syntax I need. I even thought about
telling Ansible to use a different ssh binary but failed in creating a
concept of what this binary / bash script would need to do in order to be
compatible with Ansibles demands.
(By the way: in a previous attempt I asked a comparable question in the
OpenSSH mailing list and didn't get a definitive answer how this can be
solved with OpenSSH config file means:
https://lists.gt.net/openssh/dev/70081)
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/9ae7c6a6-f17b-4afd-892f-cd7ed4f1190e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
