Context
- ansible 2.7.6
- OpenSSH_7.4
Issue
I have a machine A
that i can access only by a gateway that we call the machine G
through ssh
.
The external ip adress of the machine G is 10.X.X.X
.
The internal ip adress of the machine A is 192.168.32.10
.
I want to apply an ansible
playbook on the remote machine A
using ProxyCommand
option through the gateway machine G
.
Into the group_vars/all
inventory's vars file inventory, i put the following option according the documentation :
ansible_ssh_common_args: '-o ProxyCommand="ssh -q -W %h:%p -p {{ JUMPER_PORT }} root@{{ JUMPER_IP }}"'
I execute the following command line to trigger ansible :
ansible -i $PWD all \
-m ping \
--extra-vars="JUMPER_IP=10.X.X.X JUMPER_PORT=6666"
But the command throw an ssh illegal option error. Here is the output :
<---> (255, b'', b'ssh: illegal option -- -
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [- c cipher_spec]
[-D [bind_address:]port] [- E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file]
[-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [- p port] [-Q query_option] [-R address]
[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]
')
<global> SSH: EXEC ssh -C -o
ControlMaster=auto -o .
ControlPersist=60s -o
KbdInteractiveAuthentication=no
-o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no
-o ConnectTimeout=10
-o 'ProxyCommand=ssh -q -W %h:%p
-p 6666 root@10.X.X.X'
-o ControlPath=/Users/me/.ansible/cp/853aabe504
global '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
--- | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: ssh: illegal option --
-\nusage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c
cipher_spec]\n [-D [bind_address:]port] [-E log_file] [-e
escape_char]\n [-F configfile] [-I pkcs11] [-i
identity_file]\n [-J [user@]host[:port]] [-L address] [-l .
login_name] [-m mac_spec]\n [-O ctl_cmd] [-o option] [-p
port] [-Q query_option] [-R address]\n [-S ctl_path] [-W
host:port] [-w local_tun[:remote_tun]]\n [user@]hostname
[command]\n",
"unreachable": true
}
It seems like the -W %h:%p
do not replace the host and the port.
Any idea ?
Best Answer
You're following an extremely outdated tutorial.
Recent versions of OpenSSH, including the one you're using, have a very simple syntax for specifying a jump host:
So you can simply do something like this:
As a matter of best practices, consider using a VPN, or IPv6, or both, to avoid the use of jump hosts wherever possible.