Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create equivalent to knife-ec2 --ssh-gateway in kitchen-ec2 #249

Closed
eaddingtonwhite opened this issue May 7, 2016 · 11 comments
Closed

Create equivalent to knife-ec2 --ssh-gateway in kitchen-ec2 #249

eaddingtonwhite opened this issue May 7, 2016 · 11 comments
Labels
Improvement

Comments

@eaddingtonwhite
Copy link

The proper security model for connecting via ssh to secure instance is through a bastion host. It would be a really cool feature if we could specify an existing bastion host to tunnel ssh connections through and execute chef commands in our .kitchen.yml file. I need to use a feature like this and I saw someone else had posted on a chef forum with no replies so I thought id write it up here as well.
@jjasghar
Copy link

jjasghar commented May 7, 2016

Could you set something up in your .ssh/config like the following?

Host *.amazonaws.com
  ProxyCommand ssh jjasghar@<bastion-node> exec nc %h %p 2> /dev/null

@jjasghar
Copy link

jjasghar commented May 7, 2016

RE: http://stackoverflow.com/questions/22635613/what-is-the-difference-between-ssh-proxycommand-w-nc-exec-nc

@eaddingtonwhite
Copy link
Author

@jjasghar Yes I could do this but I am trying to automate for both other developers and CI/CD steps and it would be nice if this was just built in so I don't have to write to config file every time. The other thing is it would be nice to not have to associate DNS record with created test hosts it could just point to random private ip each time.

@proffalken
Copy link

@ellery44 Just trying to clarify this, are you asking for kitchen-ec2 to stand up a bastion/gateway host for each and every test run, or to use an existing Bastion/Gateway based on a configuration variable?

@eaddingtonwhite
Copy link
Author

No just to be able to specify a bastion host in your .kitchen.yml like so

driver:  
   name: ec2
   aws_ssh_key_id: mykey
   bastion_host: mybastion.mysite.com

Then under the hood it would do something like

ssh -A -t mybastion.mysite.com ssh -A < myTestkitchenBoxPrivateIP>

Would this be possible? Then I could set up test hosts in my private subnets and expose a web server in my safe isolated subnet which only allows connections from specific IP's/other hosts

@proffalken
Copy link

OK, I'm not adverse to this as a proposal, although I do tend to agree with @jjasghar that there is already a mechanism within SSH itself to do this and we should probably use that instead of re-inventing the wheel.

From the man page (http://linux.die.net/man/5/ssh_config):


A pattern consists of zero or more non-whitespace characters, '*' (a wildcard that matches zero or more characters), or '?' (a wildcard that matches exactly one character). For example, to specify a set of declarations for any host in the ''.co.uk'' set of domains, the following pattern could be used:

Host *.co.uk
The following pattern would match any host in the 192.168.0.[0-9] network range:

Host 192.168.0.?
A pattern-list is a comma-separated list of patterns. Patterns within pattern-lists may be negated by preceding them with an exclamation mark ('!'). For example, to allow a key to be used from anywhere within an organisation except from the ''dialup'' pool, the following entry (in authorized_keys) could be used:

from="!*.dialup.example.com,*.example.com"

So you could create a .ssh/config file and push it out to your users/CI servers that contained something like this:

Host your.aws.subnet.*
    ProxyCommand ssh <your_user>@<bastion-node> -w [%h]:%p

This would ensure that any connections for the subnet inside your VPC would be routed via your bastion host.

As I say, I'm not against this, I'd just rather not re-invent the wheel :)

@eaddingtonwhite
Copy link
Author

Hi sorry I dropped off this for a bit.

I don't feel as if it is reinventing the wheel the tunneling is already built into SSH spec its more just how it is configured to run. I think it would be improvement to have this just work with this project. If you believe it should be done in ssh config maybe an automated step to set it up for you would be cool appending it onto the local ssh config?

@iiro
Copy link

iiro commented Jun 9, 2016

I've create this one to Test-Kitchen project: test-kitchen/test-kitchen#829

@proffalken
Copy link

OK, coming back around to this now.

@iiro if test-kitchen/test-kitchen#426 gets merged, is there any reason why this command wouldn't filter down from Test Kitchen and allow @ellery44 to access the bastions that way?

If we're going to get the functionality upstream (and I'm happy to add my +1's to it!) then I'd prefer to adopt that approach instead of writing our own and making the documentation even more verbose! :)

@atheiman
Copy link

atheiman commented Oct 25, 2017
edited

test-kitchen/test-kitchen#1091 implements ssh_gateway and ssh_gateway_username

transport:
  name: ssh
  ssh_gateway: <gateway>
  ssh_gateway_username: <username at the gateway>

I havent used this before, but Im about to. if i have issues with it ill try to post back here.

edit: jk im not gonna use this because inspec doesnt yet support ssh_gateway options. seems like just setting ProxyCommand in your ssh config file is the only way to make this work for all related tools.

@cheeseplus
Copy link
Contributor

Support for this was merged upstream and that is where anything "transport" related would also need to be done so closing this issue out as kitchen support is complete here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@proffalken @cheeseplus @jjasghar @iiro @eaddingtonwhite @atheiman