It never ceases to amaze me how even after years and years of working with some technologies I keep finding out about super useful features in those technologies, that could have saved me lots of time if I knew about them earlier. \u00a0Today was a day just like that.<\/p>\n
I was working on the Ansible setup for a new hosting environment. \u00a0One particular thing I wanted to utilize more was a bastion host – a single Linux machine with exposed secure shell (SSH) port, which will be used for managing the configurations of all the servers within the environment. \u00a0I sort of done that before, but the solution wasn’t as elegant as I wanted it to be.<\/p>\n
So, I came across this article –\u00a0Running Ansible Through an SSH Bastion Host<\/a>. \u00a0Which, among other things taught me about a feature that I didn’t know nothing about. \u00a0Literally. \u00a0Haven’t even heard about it. \u00a0Multiplexing in OpenSSH<\/a>:<\/p>\n Multiplexing is the ability to send more than one signal over a single line or connection. With multiplexing, OpenSSH can re-use an existing TCP connection for multiple concurrent SSH sessions rather than creating a new one each time.<\/p><\/blockquote>\n This doesn’t sound too useful for when you are working in command line, one server at a time. \u00a0Who cares how many TCP connections do you need? It’ll be one, or two, or five. \u00a0Ten, if you are really involved. \u00a0But by that time you’ll probably be running background processes, and screen or tmux<\/a> (which are apparently called “terminal multiplexers<\/a>“).<\/p>\n It’s when you are going deeper into automation, such as in my case with Ansible<\/a>, when you’ll need OpenSSH multiplexing. \u00a0Ansible, being a configuration manager, can run a whole lot of commands one after another. \u00a0It can run them on multiple servers in parallel as well. \u00a0That’s where reusing the connections can make quite a bit of a difference. \u00a0If every command you run connects to the remote server, executes, and then disconnects, you can benefit from not needing to connect and disconnect multiple times (tens or hundreds of times, every playbook run). \u00a0 Reusing connection for parallel jobs is even better – and that’s a case with bastion host, for example.<\/p>\n Here are a few useful links from that article, just in case the ether eats it one day:<\/p>\n Armed with those, I had my setup running in no time. \u00a0The only minor correction I had to do for my case was the SSH configuration for the bastion host. \u00a0The example in the article is NOT<\/strong> wrong:<\/p>\n It’s just that in my case, I use hostnames both for the bastion host and the hosts which are managed through it. \u00a0So I had to adjust it as so:<\/p>\n Notice the two changes:<\/p>\n The reason for the second change is that if there are multiple Host matches in the configuration file, OpenSSH will combine all options from the matched configurations (something I didn’t find in the ssh_config manual<\/a>). \u00a0Try this example ssh.conf<\/em> with some real hosts of yours:<\/p>\n You’ll see the output similar to this:<\/p>\n Once you negate the bastion host from the wildcard configuration, everything works as expected.<\/p>\n You might also try using “%r@%h:%p” for the socket to be different for each remote username that you will concurrently connect with, but that’s just nit-picking.<\/p>\n\n","protected":false},"excerpt":{"rendered":"\n\n
\r\nHost 10.10.10.*\r\n ProxyCommand ssh -W %h:%p bastion.example.com\r\n IdentityFile ~\/.ssh\/private_key.pem\r\n\r\nHost bastion.example.com\r\n Hostname bastion.example.com\r\n User ubuntu\r\n IdentityFile ~\/.ssh\/private_key.pem\r\n ForwardAgent yes\r\n ControlMaster auto\r\n ControlPath ~\/.ssh\/ansible-%r@%h:%p\r\n ControlPersist 5m\r\n<\/pre>\n
\r\nHost *.example.com !bastion.example.com\r\n ProxyCommand ssh -W %h:%p bastion.example.com\r\n IdentityFile ~\/.ssh\/private_key.pem\r\n\r\nHost bastion.example.com\r\n Hostname bastion.example.com\r\n User ubuntu\r\n IdentityFile ~\/.ssh\/private_key.pem\r\n ForwardAgent yes\r\n ControlMaster auto\r\n ControlPath ~\/.ssh\/ansible-%r@%h:%p\r\n ControlPersist 5m\r\n<\/pre>\n
\n
\r\nHost bastion.example.com\r\n\tUser someuser\r\n\r\nHost *.example.com\r\n\tPort 2222\r\n<\/pre>\n
\r\n$ ssh -F ssh.conf bastion.example.com -v\r\nOpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016\r\ndebug1: Reading configuration data ssh.conf\r\ndebug1: ssh.conf line 1: Applying options for bastion.example.com\r\ndebug1: ssh.conf line 4: Applying options for *.example.com\r\ndebug1: Connecting to bastion.example.com [1.2.3.4] port 2222.\r\n^C\r\n<\/pre>\n