Bug #37803
open
Not possible to use ProxyJump or ProxyCommand for Ansible.
Description
Previously, we added a hardcoded `ProxyCommand=none` because
ipa-client-install added
`ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h` into
`/etc/ssh/ssh_config`, which caused failure to execute ansible commands
on systems without the `/sbin/nologin` shell [1]. However; this also
prevents users from using their own jump host in the ssh configuration
since the hardcoded command line arguments always take precedence.
Since this issue was fixed in the ipa tooling 3 years ago (they now use
the `Match exec true` rule [2]), I propose we remove the hardcoded
ProxyCommand to allow users to specify their own jump hosts. The same is
being done for remote execution [3].
Some users who have configured the ipa client before the fix landed in
ipa might still report that they are getting errors when trying to run
ansible commands because the ProxyCommand specified in
`etc/ssh/ssh_config` is failing to execute. We should suggest these
users to remove the ProxyCommand from ssh config, which should fix all
of their issues originating from this. This is more of a problem of the
old ipa tooling rather than a problem of foreman.
[1] https://projects.theforeman.org/issues/25481
[2] https://pagure.io/freeipa/issue/7676
[3] https://github.com/theforeman/smart_proxy_remote_execution_ssh/pull/117
Updated by Ewoud Kohl van Wijngaarden 7 days ago
- Project changed from Puppet to Installer
- Category set to Foreman modules
Updated by The Foreman Bot 6 days ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/puppet-foreman_proxy/pull/845 added