Ansible with a bastion host (SSH Proxy)

Latest posts

Post cover

Automating Threat Intelligence series
May 04, 2025

Post cover

Palo Alto Networks automation series
February 26, 2025

Post cover

Fundamentals of network automation series
February 25, 2025

Post cover

Choose your learning path: unlock the power of automations
February 22, 2025

Post cover

OT/ICS series
February 18, 2025

Categories

Category cover

Automation
43 posts

Category cover

Security
20 posts

Category cover

Notes
19 posts

Category cover

Personal Security
15 posts

Category cover

CISO
14 posts

Category cover

Infrastructure
12 posts

Category cover

Learning paths
9 posts

Category cover

OT/ICS
6 posts

Category cover

UNetLab
4 posts

Category cover

Books
3 posts

Category cover

Write-up
3 posts

Category cover

OSInt
2 posts

Category cover

My life
1 posts

Ansible with a bastion host (SSH Proxy)

Andrea Dainese
August 14, 2020
Automation, Notes
Post cover

On some Ansible designs, I need to use a bastion host to log in to remote servers. We can configure it in the following way:

on ansible.cfg file:

[defaults]
timeout = 25
gathering = smart # utile ma non essenziale

[ssh_connection]
#ssh_args = -o ControlMaster=auto -o ControlPersist=600s
ssh_args = -o ControlMaster=auto -o ControlPersist=600s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=nocontrol_path = %(directory)s/%%h-%%r
pipelining = True

on the inventory file:

vars:
  ansible_ssh_common_args: '-o ProxyCommand="sshpass -p passwordcomplessa ssh -W %h:%p -q remoteuser@bastionhost"'

Additional notes:

  • Passwords sent through sshpass are visible to all users using ps -a command.
  • Prefer key authentication with the bastion host.