Connecting to a remote server from local machine via ssh-tunnel

4
votes

I am running Ansible on my machine. And my machine does not have ssh access to the remote machine. Port 22 connection originating from local machine are blocked by the institute firewall. But I have access to a machine (ssh-tunnel), through which I can login to the remote machine. Now is there a way we can run ansible playbook from local machine on remote hosts.

In a way is it possible to make Ansible/ssh connect to the remote machine, via ssh-tunnel. But not exactly login to ssh-tunnel. The connection will pass through the tunnel.

Other way is I can install ansible on ssh-tunnel, but that is not the desired and run plays from there. But that would not be a desired solution.

Please let me know if this is possible.

3
sshansible
Possible duplicate of SSH to remote server using ansible - udondan

3 Answers

2
votes

There are two ways to achieve this without install the Ansible on the ssh-tunnel machine.

Solution#1:

Use these variables in your inventory:

[remote_machine]
remote ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 ansible_ssh_user='username' ansible_ssh_private_key_file='/home/user/private_key'

hope you understand above parameters, if need help please ask in comments

Solution#2:

Create ~/.ssh/config file and add the following parameters:

####### Access to the Private Server through ssh-tunnel/bastion ########

Host ssh-tunnel-server
    HostName x.x.x.x
    StrictHostKeyChecking no
    User username
    ForwardAgent yes

Host private-server
  HostName y.y.y.y
  StrictHostKeyChecking no
  User username
  ProxyCommand ssh -q ssh-tunnel-server nc -q0 %h %p

Hope that help you, if you need any help, feel free to ask

0
votes

No request to install ansible on the jump and remote servers, ansible is ssh service only tool :-)

First make sure you can work it directly with SSH Tunnel.

On local machine (Local_A), you can login to Remote machine (Remote_B) via jump box (Jump_C).

login server Local_A
ssh -f user@remote_B -L 2000:Jump_C:22 -N

The other options are:

  • -f tells ssh to background itself after it authenticates, so you don't have to sit around running something on the remote server for the tunnel to remain alive.
  • -N says that you want an SSH connection, but you don't actually want to run any remote commands. If all you're creating is a tunnel, then including this option saves resources.
  • -L [bind_address:]port:host:hostport Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.

There will be a password challenge unless you have set up DSA or RSA keys for a passwordless login.

There are lots of documents teaching you how to do the ssh tunnel.

Then try below ansible command from Local_A:

ansible -vvvv remote_B -m shell -a 'hostname -f' --ssh-extra-args="-L 2000:Jump_C:22"

You should see the remote_B hostname. Let me know the result.

0
votes

Let's say you can ssh into x.x.x.x from your local machine, and ssh into y.y.y.y from x.x.x.x, while y.y.y.y is the target of your ansible playbook.

inventory:

[target]
y.y.y.y

playbook.yml

---
- hosts: target
  tasks: ...

Run:

ansible-playbook --ssh-common-args="-o ProxyCommand='ssh -W %h:%p [email protected]'" -i inventory playbook.yml