On 12.01.17 09:40 Thomas Oliw wrote:
I doubt that ansible is capable of handling this kind of jumphost. A
'normal' jumphost that just forwards the connection and the ssh key
works outside of ansible and does not require much configuration
(mostly setting the hosts up in your ~/.ssh/config).
> Well, I have no insight in why this model was choosen. I guess that
> it allows strict control to limit all accesses via one hardened
> jumphost, and only one place to manage sudo stuff. I will try to go
> the correct route and ask the security people why the jumpstation
> is built the way it is, but I fear it will take some time... Still
> worth the struggle if it allows us to automate tasks in a safe and
> efficient way in the future. (If there are good documentation on
> how to build a ssh jumphost, I am interested to read up on that).
I would be curious why this setup was chosen. If your are not doing
smart sudo authentication, then your whole setup depends on users
entering their password to do 'sudo ssh ...'. Or worse, all enter the
same root password.
So I can not see any advantages over authenticating via ssh keys on
the target host.
Johannes