Bastion host

[Fodoj]

What is the best way to forward specs through bastion host?

[chris-rock]

@Fodoj If I get you right, you need some kind of gateway setting right?

[Fodoj]

Yep

On 8 Feb 2016 19:39 +0100, Christoph Hartmannnotifications@github.com, wrote:

@Fodoj(https://github.com/Fodoj)If I get you right, you need some kind of gateway setting right?

—
Reply to this email directly orview it on GitHub(#431 (comment)).

[chris-rock]

InSpec has no native gateway setting yet. At this point, I propose to use ssh to bind the remote ssh port via the gateway ssh to a local port with -L. Then just let inspec connect to ssh://127.0.0.1:yourport

[chris-rock]

For reference, in Serverspec it can be solved as described: http://pmyjavec.com/code/2014/12/03/serverspec-behind-jump-server.html

This feature should be implemented in https://github.com/chef/train/blob/master/lib/train/transports/ssh.rb

[robcoward]

I'm already using the Net::SSH::Proxy::Command gem as mentioned in @chris-rock's link above to get serverspec to test infrastructure on remote non-routable networks via a bastion host. Would really love to see something similar usable with Inspec.

My specific use-case here is working in a secure environment with different security domains, we are not allowed to route traffic between two security domains. All connections have to go through some form of jumpbox / proxy server where there is a protocol break and traffic can be "inspected". My secondary use-case is to be able to test infrastructure built on a cloud hosting provider where for good reasons, not all the 'internal' servers are accessible from the internet and have to also be accessed via a jumpbox.

[zambien]

I would also like to see this added.

[unitsche]

+1

[thiagonache]

I did small patch, but I'm not sure how to get proxy variable from kitchen yml
inspec/train@master...thiagonache:master

can you guys help?

[james-s-nduka]

+1
This is a feature Hashicorp Terraform has for remote execution on instances. It would be really helpful for inspec testing

[jesstracy]

+1

[heathsnow]

Here's what I've come up with so far:

task_thread = []
%w(port_map spec_test).each do |task|
  task_thread << Thread.new do
    case task
    when 'port_map'  
      puts 'mapping 1337 local to 22 remote'
      IO.popen('ssh -A -L1337:FOO_SERVER:22 ubuntu@BASTION_HOST')
    when 'spec_test'  
      puts 'running spec tests...'
      result = `inspec exec spec/*_spec.rb --target=ssh://ubuntu@127.0.0.1:1337 -i "~/.ssh/foo_server.pem"`
      system("kill $(ps aux | grep '[s]sh -A' | awk '{print $2}')")
      puts result
    end  
  end  
end
task_thread.each(&:join)
raise 'Inspec Test Failure.' unless result.include?('0 failures')

[gordonbondon]

For me Inspec works through jumphost with ProxyCommand in ~/.ssh/config:

Host jump.host
    User user
    IdentityFile ~/.ssh/id_rsa

Host 10.* # range of hosts behind jump host
    ForwardAgent no
    User ubuntu
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    UseKeychain yes
    ProxyCommand ssh -q -W %h:%p jump.host
    IdentityFile ~/.ssh/dev-user.pem

And then inspec exec profile -t ssh://ubuntu@10.11.22.33

[heathsnow]

Okay, I used @gordonbondon suggestion and now run the following in a rake task:

open("#{Dir.home}/.ssh/config", File::TRUNC) if File.exist?("#{Dir.home}/.ssh/config")
File.open("#{Dir.home}/.ssh/config", 'a+') do |f|
    f << "Host bastion\n"
    f << "HostName #{bastion_host}\n"
    f << "    StrictHostKeyChecking no\n"
    f << "    User ubuntu\n"
    f << "Host 10.*\n"
    f << "    StrictHostKeyChecking no\n"
    f << "    ProxyCommand ssh -q -W %h:%p bastion\n"
end
cmd = "eval `ssh-agent -s` && ssh-add #{instance_private_key} && " \
  "inspec exec spec/*_spec.rb -t ssh://ubuntu@#{server}"
sh cmd

[darksheer]

Is fixing this without the 'goofy' work around still blocked on inspec/train#163 ?

[jquick]

This was added.