Basic SSH Proxying¶
If you connect to your machines via an intermediary, then you will need to include a Proxy host in your SSH configuration.
Note
In all cases - whether SSH is invoked programmatically or otherwise - Bcome will defer to your local ssh-agent for your SSH keys.
Make sure that your ssh-agent is running and that all keys in play have been added.
Example configuration¶
The networks.yml configuration below defines two inventories: one containing a proxy server, and the other containing servers that may only be connected to via the proxy.
---
wbz:
type: collection
description: WBZ gcp estate
network:
type: gcp
project: wbznet
zone: europe-west1-b
:authentication_scheme: service_account
service_account_credentials: service-account.json
service_scopes:
- https://www.googleapis.com/auth/compute.readonly
- https://www.googleapis.com/auth/cloud-platform
wbz:proxies:
type: inventory
description: ssh proxies
override_identifier: "prod_net_(.+)"
network:
filters: status:running AND labels.function=bastion AND labels.environment=prod-net
wbz:servers:
type: inventory
description: Servers
network:
filters: status:running AND labels.environment=prod-net AND NOT labels.function=bastion
override_identifier: "prod_net_(.+)"
ssh_settings:
proxy:
- host_lookup: by_bcome_namespace
namespace: proxies:bastion
The ‘proxies’ inventory contains a single server named ‘bastion’ that the ‘servers’ inventory machines are configured above to use as their proxy.
My local user is guillaume
, and I have ssh keys added to my agent.
The AsciiCast below demonstrates my configuration:
Note
To replay this Asciicast in your own terminal, install the asciinema
package from https://asciinema.org/, and then enter the following in your terminal:
asciinema play https://asciinema.org/a/Z8wHFA8DwYYHiKaG1oh7ZYenS
See the Bcome documentation for more detailed & alternative proxy configuration options: SSH Proxy Attributes Configuration.