|
@@ -0,0 +1,16 @@
|
|
1
|
+# salt-ssh, now with SSH bastion support
|
|
2
|
+
|
|
3
|
+## Problem
|
|
4
|
+
|
|
5
|
+When passed a hostname, salt-ssh will try to look it up in a roster file instead of looking it up, or checking its OpenSSH configuration.
|
|
6
|
+
|
|
7
|
+When passed an IP address, it will directly connect with the host, but if you try to reach a host in your company's network that's behind a SSH bastion, you'll have to specify the specific OpenSSH configuration for the host, each and every time, unless you can afford having a host rule in your OpenSSH configuration (which might not always be the case, given the restrictions for addressing in a local network).
|
|
8
|
+
|
|
9
|
+## Solution
|
|
10
|
+
|
|
11
|
+You can call this script as you would call `salt-ssh`, and pass it a FQDN in the domain of a local network that's behind a bastion. It will look up the proxy configuration in OpenSSH's configuration, lookup the IP address for that FQDN by SSH'ing to the bastion and calling `dig`, then call `salt-ssh` with the right proxy option and IP address.
|
|
12
|
+
|
|
13
|
+## Requirements
|
|
14
|
+
|
|
15
|
+* The SSH bastion is required to have the `dig` binary in the user's `$PATH`
|
|
16
|
+* The local host (where this script is run) is required to use OpenSSH 7.3 (August 2016) or higher. In case that's not possible, the script can be edited accordingly (refer to the script's comments to identify the most recent features used).
|