using a jump box with rundeck

[Chris Nuber]

I have a bastion server/jump box that users authenticate to using ldap authentication and it gives them keyed ssh access to all of the other servers on the network.  These servers are not accessible from anywhere other than this jump box.

I need a way to have Rundeck auth through the jump box when making it's outbound ssh connections to the nodes.  

I realize I could write a wrapper script that would run locally but the issue there is that I will not have access to the Rundeck Node list to tell it what server to execute against.

Has anyone done this successfully, either with a tunnel or some other method?

[Peter Garlic]

https://groups.google.com/forum/#!topic/rundeck-discuss/D_rr4vz82FY

-Peter

[K West]

Hi Chris

More specifically, assuming you're using OpenSSH, and the command 'nc' (netcat) is available on your bastion host:

1. [Testing part] From a terminal on your Rundeck server, adjust the following example and try to successfully connect with SSH to one of your nodes. (The important keyword here is 'Proxycommand'. That tells SSH to use what's provided as a jump box host):
   

   ssh -o "StrictHostKeyChecking no" -o "ProxyCommand ssh -o 'StrictHostKeyChecking no' -i <PRIVATE_SSH_KEY_FILE> <USER>@<BASTION> nc %h %p" <NODE_USERNAME>@<NODE_HOSTNAME>

   
   
2. [Configuration part in Rundeck] When it's working, the next part is just a matter of configuring Rundeck to use a custom command to connect to your nodes instead of the default SSH-plugin (read the doc here: http://rundeck.org/docs/plugins-user-guide/script-plugin.html, your custom command would be, obviously, the one validated in step 1, but adjusted to Rundeck syntax).
   You will end up with something like:
   

   script-exec: ssh -o "StrictHostKeyChecking no" -o "ProxyCommand ssh -o 'StrictHostKeyChecking no' -i <PRIVATE_SSH_KEY_FILE> <USER>@<BASTION> nc %h %p" ${node.username}@${node.hostname} ${exec.command}

Rq: if your bastion host does not come with 'nc', you might find the 'socat' command instead. You'll then have to replace 'nc %h %p'   by something like  'socat STDIO TCP:%h:%p'.

Also, please read SSH doc to understand the implications of using StrictHostKeyChecking.

Hope it helps.

Kofi.