语境

tag-icon tag-icon ssh proxy ansible
语境

语境

  • ansible 2.7.6
  • OpenSSH_7.4

问题

我有一个machine A只能通过我们称之为“machine G通过”的网关来访问的ssh

机器G的外部ip地址是10.X.X.X

机器A的内部ip地址是192.168.32.10

我想通过网关使用选项ansible在远程应用剧本。machine AProxyCommandmachine G

进入group_vars/all库存的 vars 文件库存,我根据以下选项输入文档

ansible_ssh_common_args: '-o ProxyCommand="ssh -q -W %h:%p -p {{ JUMPER_PORT }} root@{{ JUMPER_IP }}"'

我执行以下命令行来触发 ansible:

ansible -i $PWD all \
-m ping \
--extra-vars="JUMPER_IP=10.X.X.X JUMPER_PORT=6666"

但该命令抛出了 ssh 非法选项错误。输出如下:

<---> (255, b'', b'ssh: illegal option -- -
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [- c cipher_spec]
   [-D [bind_address:]port] [- E log_file] [-e escape_char]
   [-F configfile] [-I pkcs11] [-i identity_file]
   [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]           
   [-O ctl_cmd] [-o option] [- p port] [-Q query_option] [-R address]           
   [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]          
   [user@]hostname [command]
')

<global> SSH: EXEC ssh -C -o 
ControlMaster=auto -o . 
ControlPersist=60s -o 
KbdInteractiveAuthentication=no 
-o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey 
-o PasswordAuthentication=no 
-o ConnectTimeout=10
-o 'ProxyCommand=ssh -q -W %h:%p 
-p 6666 [email protected]'
-o ControlPath=/Users/me/.ansible/cp/853aabe504 
global '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''

--- | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: ssh: illegal option -- 
    -\nusage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c 
    cipher_spec]\n           [-D [bind_address:]port] [-E log_file] [-e 
    escape_char]\n           [-F configfile] [-I pkcs11] [-i 
    identity_file]\n           [-J [user@]host[:port]] [-L address] [-l . 
    login_name] [-m mac_spec]\n           [-O ctl_cmd] [-o option] [-p 
    port] [-Q query_option] [-R address]\n           [-S ctl_path] [-W 
    host:port] [-w local_tun[:remote_tun]]\n           [user@]hostname 
    [command]\n",
    "unreachable": true
}

好像-W %h:%p不要替换主机和端口。

任何想法 ?

答案1

您正在遵循一个极其过时的教程。

OpenSSH 的最新版本(包括您正在使用的版本)具有用于指定跳转主机的非常简单的语法:

ssh -J [jumpuser@]jumphost[:jumpport] destination

因此你可以简单地做这样的事情:

ansible_ssh_common_args: "-J root@{{JUMPER_IP}}:{{JUMPER_PORT}}"

作为最佳实践,请考虑使用 VPN 或 IPv6 或两者,以尽可能避免使用跳转主机。

相关内容