Remote execution not using jump host/bastion host configuration

Gr33b0 · April 4, 2023, 6:55am

Good day, all

After leaving this issue aside for a while, I made a fresh attempt and finally managed to get this to work, with the following changes:

My custom SSH configuration file containing my bastion/jumphost configuration:

# cat /etc/ssh/ssh_config.d/06-platbot.conf

CheckHostIP no
ForwardAgent yes
AddKeysToAgent yes
StrictHostKeyChecking=no
HostKeyAlgorithms +ssh-dss
Ciphers +aes256-cbc,3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1

Host *.platform.is !bastion01.platform.is !bastion.platform.is
    ProxyCommand ssh -W %h:%p platbot@bastion01.platform.is

Remove the single line ssh_options << "-o ProxyCommand=none" in the Ruby code (/usr/share/gems/gems/smart_proxy_remote_execution_ssh-0.9.0/lib/smart_proxy_remote_execution_ssh/multiplexed_ssh_connection.rb), to make the relevant block in the code look like this:

    def establish_ssh_options
      return @establish_ssh_options if @establish_ssh_options
      ssh_options = []
      ssh_options << "-o User=#{@ssh_user}"
      ssh_options << "-o Port=#{@ssh_port}" if @ssh_port
      ssh_options << "-o IdentityFile=#{@client_private_key_file}" if @client_private_key_file
      ssh_options << "-o IdentitiesOnly=yes"
      ssh_options << "-o StrictHostKeyChecking=no"
      ssh_options << "-o UserKnownHostsFile=#{prepare_known_hosts}" if @host_public_key
      ssh_options << "-o LogLevel=#{ssh_log_level(true)}"
      ssh_options << "-o ControlMaster=auto"
      ssh_options << "-o ControlPath=#{socket_file}"
      ssh_options << "-o ControlPersist=yes"
      @establish_ssh_options = ssh_options
    end

instead of this:

    def establish_ssh_options
      return @establish_ssh_options if @establish_ssh_options
      ssh_options = []
      ssh_options << "-o User=#{@ssh_user}"
      ssh_options << "-o Port=#{@ssh_port}" if @ssh_port
      ssh_options << "-o IdentityFile=#{@client_private_key_file}" if @client_private_key_file
      ssh_options << "-o IdentitiesOnly=yes"
      ssh_options << "-o StrictHostKeyChecking=no"
      ssh_options << "-o UserKnownHostsFile=#{prepare_known_hosts}" if @host_public_key
      ssh_options << "-o LogLevel=#{ssh_log_level(true)}"
      ssh_options << "-o ControlMaster=auto"
      ssh_options << "-o ControlPath=#{socket_file}"
      ssh_options << "-o ControlPersist=yes"
      ssh_options << "-o ProxyCommand=none"
      @establish_ssh_options = ssh_options
    end

I fully understand that this is not a permanent solution as upgrades and such will likely overwrite this code, but I just thought I’d mention this temporary workaround.

My current Foreman environment is still on version 2.0 (we were very lax in keeping this environment updated) and this will at least allow me to spin up new Foreman master and proxy hosts on the more recent version, re-register all my clients and still be able to push jobs.

I will still go ahead and file a bug, as initially suggested. Thank you guys again for your assistance!

Regards,
Kevin Pillay