Feature #14630


Apply rules defines in ssh config

Added by Enrico Bartz almost 8 years ago. Updated almost 8 years ago.

Smart Proxy - SSH
Target version:
Fixed in Releases:
Found in Releases:


I have a huge amount of hosts that i want to have enabled for remote execution but my foreman server does not have access to all of them directly. I have like different customer networks which are split and i have jump hosts to them.

So I'm using different kind of ssh keys for different servers and have some rules for proxy commands.

An example of my config could be like:

Host cus* wan*
ProxyCommand ssh -A -t -W %h:%p
User root
IdentityFile ~/.ssh/id_cus

Host wao* mol*
ProxyCommand ssh -A -t -W %h:%p
User root
IdentityFile ~/.ssh/id_wao

Would it be possible to have that rules applied for the ssh connection? And if not, what can i do besides bringing smart proxy's to every jumpserver that i have? (Which is also not possible for me because I'm not able to get a fresh ruby on all that machines and reinstalling is also not a solution for me. )

Actions #1

Updated by Stephen Benjamin almost 8 years ago

  • Category set to Smart Proxy - SSH

After we talked on IRC, I looked and it does look like the library we use (Net::SSH) supports it. It may actually be somewhat simple.

You could try to patch your smart proxy running on docker, it's a single line change.

There's a bit of code here that sets the SSH options:

If you insert this after line 136:
ssh_options[:config] = true

And restart the proxy, you can see if it works.

I think it should read the .ssh/config and apply your settings. Only a subset of options are supported, but ProxyCommand is one of them.

Actions #2

Updated by Stephen Benjamin almost 8 years ago

Actually, we do read the .ssh/config, it's turned on by default in Net::SSH. No code changes required, so ignore the comment above.

If you have one in place for the foreman-proxy user (in ~foreman-proxy/.ssh/config), then we'll use it. There's a few caveats. We don't connect to the host name until the last resort, we try the IP address foreman knows about. So, my .ssh/config looks like this:

  ProxyCommand ssh root@ nc %h %p

When the smart proxy tries to connect to, I can see it establishing the connection through netcat on just fine.

The second issue I ran into was trying the commands you have there - the default security settings on my Fedora box don't seem to be allowing -W or something, it says "channel 0: open failed: administratively prohibited: open failed". Did you need to change some ssh security settings to allow proxy commands like that?


Also available in: Atom PDF