Securing Ansible Automation with Single Entry Points: SSH Jump Hosts

~ Tom's IT Cafe

Using SSH jump hosts (also known as bastion hosts or SSH gateways) with Ansible allows you to securely access and manage servers in a remote network or behind a firewall. Jump hosts act as intermediaries, forwarding your SSH connection to the target hosts. You can configure Ansible to use jump hosts for managing remote servers. Here’s how to set it up:

Don’t forget to join my Discord: https://discord.gg/YbSYGsQYES

1. Configure Your Jump Host:

  • Ensure that you have SSH access to your jump host. You should have an SSH key pair configured for authentication.
  • Make sure you know the hostname or IP address of the jump host.

2. Update Your Ansible Inventory:

  • Modify your Ansible inventory file to include information about the jump host and the target hosts you want to manage.
  • In the inventory file, you can define the jump host using the ansible_ssh_common_args variable and the -J (ProxyJump) option. Here’s an example:
   [target_hosts]
   target1 ansible_host=192.168.1.101
   target2 ansible_host=192.168.1.102

  [jump_host]
  jumphost ansible_host=jump_host_ip ansible_user=your_username ansible_ssh_common_args='-o ProxyJump=%h'

Replace jump_host_ip and your_username with the appropriate values.

3. SSH Configuration on Control Machine:

  • Ensure that your SSH client configuration on your control machine is set up to use the jump host. You can do this by modifying your ~/.ssh/config file:
   Host jumphost
       HostName jump_host_ip
       User your_username
       IdentityFile /path/to/your/ssh/key

   Host target*
       ProxyJump jumphost

Replace jump_host_ip, your_username, and /path/to/your/ssh/key with the appropriate values. The ProxyJump directive specifies that SSH connections to target hosts should go through the jump host.

4. Testing the Configuration:

  • You can test the configuration by running an Ansible ad-hoc command or playbook against the target hosts:
   ansible -i inventory -m ping target_hosts

Replace inventory with the path to your Ansible inventory file.

5. Ansible Playbooks:

  • In your Ansible playbooks, you can specify the target hosts as you normally would. Ansible will use the jump host as a gateway for SSH connections:
   ---
   - name: Example Playbook
     hosts: target_hosts
     remote_user: your_remote_user
     tasks:
       - name: Ensure a package is installed
         apt:
           name: package_name
           state: present

With these steps, you can configure Ansible to use an SSH jump host to manage remote servers securely. This setup is particularly useful when your target hosts are in a private network or behind a firewall, and you need to access them via an intermediary host.

Don’t forget to join my Discord: https://discord.gg/YbSYGsQYES

Leave a comment