How can you write the following setup in an ssh config.
### The Bastion Host
Host bastion-host-nickname
HostName bastion-hostname
### The Remote Host
Host remote-host-nickname
HostName remote-hostname
ProxyJump bastion-host-nickname
### The Remote Host VM
Host remote-host-vm-nickname
Hostname remote-vm-hostname
????
I have a bastian sever through which my remote-host can be reached via ssh. This connection is working as expected. On my remote-host there are a few virtual machines (the remote host vm) that can also be reached via ssh.
AllowTCPForwarding is disabled in the sshd_config of the remote-host. Therefore neither an SSH tunnel nor a ProxyCommand can be used. With both you get the error message "... administratively prohibited". The sshd_config should stay that way.
My preferred approach is that I connect to the remote-host and execute the following command:
[#remote-host]
"ssh -t -i keyfile user#remote-vm-hostname \" whoami \ ""
How can I describe this ssh command in my ssh_config?
Especially so that this ssh command can only be executed on my remote host.
Related
I want to expose my system for accessing via ssh.
After running this ./ngrok tcp 12345, I see:
Forwarding tcp://0.tcp.ngrok.io:15909 -> localhost:12345
In my ~/.ssh/config, I add the following lines, as I have a proxy in my workplace:
Host ngrok
Hostname 0.tcp.ngrok.io
ProxyCommand corkscrew 172.16.2.30 8080 %h %p
To test, I am trying to access my own system from my own system (another shell) via ngrok. Then finally when I access using
ssh -p 15909 ngrok
it says:
ssh_exchange_identification: Connection closed by remote host
How do I access it?
See Unable to ssh into remote Linux by ngrok
but also try this from the new shell when you want to ssh into your ngrok
ssh <username>#0.tcp.ngrok.io -p 15909
where username is the user your sshing into
I have a dd-wrt router where I setup a ssh port-forwarding rule to redirect each WAN request towards a host in the private LAN that at the moment is unavailable. Is it possible to avoid the firewall redirection with a ssh parameter and connect directly to the router via ssh ? Note: At the moment I haven't direct access to the router.
One effective solution is to setup a single SSH port forward to one host on the network, and then use SSH forwarding via that host to the others.
This can be added easily to the client ssh config:
host AnyNameYouLike
Hostname remoteHostnameOrIp
Proxycommand ssh -q proxyuser#proxyhostname.remotely.accessible nc -q0 %h %p
User remoteHostnameOrIpUser
IdentityFile ~/.ssh/remoteHostnameOrIp_id_rsa
You can omit the IdentityFile line if you prefer alternative authentication. If you set up an entry for proxyuser#proxyhostname.remotely.accessible too you can have completely passwordless and transparent proxying.
Further, you can use wildcards, and have ssh automatically ssh via the proxy for any matching host, eg:
host 10.10.10.*
proxycommand ssh -q proxyuser#proxyhostname.remotely.accessible nc -q0 %h %p
I've looked [to faq][1] , but there is no answer for my task.
How can I access to bastion (jump box) host using password with Ansible? We do not consider using SSH keys. How will SSH config (or Ansible config) be look like for this situation?
For instance using SSH keys, the configuration looks like this:
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user#gateway.example.com"'
How to achieve the same result by using password?
You can use the ProxyJump ssh option which does not require netcat/nc to be installed on the jump host.
So in the ~/.ssh/config file of the user you are using to run the Ansible commands, add something like this
Host jumphost
HostName 1.1.1.1 # use actual ip address or fqdn
Host *
ProxyJump jumphost
In my ~/.ssh/config file, I have configured the bastion host like this:
##### Private hosts access through bastion host #####
Host bastion-host
HostName 52.13.2.54
ForwardAgent yes
Host 10.10.*
ProxyCommand ssh -q bastion-host nc -q0 %h %p
Then I can directly run the Ansible over the hosts in private subnet. Hope that might help you
I am running Ansible on my machine. And my machine does not have ssh access to the remote machine. Port 22 connection originating from local machine are blocked by the institute firewall. But I have access to a machine (ssh-tunnel), through which I can login to the remote machine. Now is there a way we can run ansible playbook from local machine on remote hosts.
In a way is it possible to make Ansible/ssh connect to the remote machine, via ssh-tunnel. But not exactly login to ssh-tunnel. The connection will pass through the tunnel.
Other way is I can install ansible on ssh-tunnel, but that is not the desired and run plays from there. But that would not be a desired solution.
Please let me know if this is possible.
There are two ways to achieve this without install the Ansible on the ssh-tunnel machine.
Solution#1:
Use these variables in your inventory:
[remote_machine]
remote ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 ansible_ssh_user='username' ansible_ssh_private_key_file='/home/user/private_key'
hope you understand above parameters, if need help please ask in comments
Solution#2:
Create ~/.ssh/config file and add the following parameters:
####### Access to the Private Server through ssh-tunnel/bastion ########
Host ssh-tunnel-server
HostName x.x.x.x
StrictHostKeyChecking no
User username
ForwardAgent yes
Host private-server
HostName y.y.y.y
StrictHostKeyChecking no
User username
ProxyCommand ssh -q ssh-tunnel-server nc -q0 %h %p
Hope that help you, if you need any help, feel free to ask
No request to install ansible on the jump and remote servers, ansible is ssh service only tool :-)
First make sure you can work it directly with SSH Tunnel.
On local machine (Local_A), you can login to Remote machine (Remote_B) via jump box (Jump_C).
login server Local_A
ssh -f user#remote_B -L 2000:Jump_C:22 -N
The other options are:
-f tells ssh to background itself after it authenticates, so you don't have to sit around running something on the remote server for the tunnel to remain alive.
-N says that you want an SSH connection, but you don't actually want to run any remote commands. If all you're creating is a tunnel, then including this option saves resources.
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.
There will be a password challenge unless you have set up DSA or RSA keys for a passwordless login.
There are lots of documents teaching you how to do the ssh tunnel.
Then try below ansible command from Local_A:
ansible -vvvv remote_B -m shell -a 'hostname -f' --ssh-extra-args="-L 2000:Jump_C:22"
You should see the remote_B hostname. Let me know the result.
Let's say you can ssh into x.x.x.x from your local machine, and ssh into y.y.y.y from x.x.x.x, while y.y.y.y is the target of your ansible playbook.
inventory:
[target]
y.y.y.y
playbook.yml
---
- hosts: target
tasks: ...
Run:
ansible-playbook --ssh-common-args="-o ProxyCommand='ssh -W %h:%p root#x.x.x.x'" -i inventory playbook.yml
I'm trying to use rsync to connect to an Rsync server. However, our company firewall blocks the 873 port used by rsync.
Using the following proxy configuration with corkscrew in the ~/.ssh/config file, I can bypass the firewall and connect to remote servers with SSH:
ProxyCommand /usr/local/bin/corkscrew our-http-proxy.domain.name 8080 %h %p
Thus, with the above configuration, I use ssh the following way, which lets me connect to a remote machine with no problem:
ssh -L 8080:localhost:80 username#remote.machine.name -p 443
My question is, can I use rsync to utilize such ssh tunnel, and connect to the Rsync server?
I so far tried a few ways to have rsync utilize the same ssh proxy configuration. One of them is as follows, which always results in ssh_exchange_identification: Connection closed by remote host:
rsync -CaLvz -e "ssh -L 873:remote.rsync-server.name:443" remote.rsync-server.name::remote-source-directory /local/target/directory/
Any ideas?