-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
communicator/ssh: support for bastion SSH #2266
Conversation
Code LGTM! Bastions are sort of annoying without an ssh-agent. Looks like no agent support in normal SSH functionality either, so not expecting that here. In the meantime, I wonder if it'd be convenient to default SSHBastionPrivateKey to SSHPrivateKey, since that's a common property of bastion-using environments (same key for jump as for internal hosts). I believe the SSH handshake mechanism is such that there aren't any security implications of offering up a private key to a server, so that angle shouldn't be a problem IIRC. |
@phinze Packer just always uses the local SSH agent if it finds it. It is opt-out, vs. opt-in like Terraform. Sounds good to default it. |
Oh nice! Based on some anecdotal user feedback - I'm hoping to make Terraform's opt-out too. 👍 |
communicator/ssh: support for bastion SSH
Ah, brilliant timing! @mitchellh would it be possible for a quick overview on how to set this up? |
@nathanielks This should help: https://packer.io/docs/templates/communicator.html |
@mitchellh You're awesome. |
I am a little bit unclear on how the communicator should work. We are running Packer behind a corporate firewall and we would like to create AMIs. I was able to set up ssh tunneling over https using corkscrew and was able to ssh to an ec2 instance from behind the firewall. My understanding is Packer can't take advantage of that and ssh communicator can be used to solve this problem but I am not sure why. Can someone elaborate on that? |
/cc @mitchellh commented on Jun 17:
I'd like to report that my local ssh agent is never utilized. I'm running v0.8.6. I'm using 'amazon-ebs' with For reasons possibly starting in/around #1837 , when If the ssh agent was consulted, this would not be an issue. The one-off temporary private key credentials I created are being exclusively used instead. Proof: |
+1 for @tamsky 's report - my ssh-agent doesn't get used to access the bastion host. |
+1 for @tamsky and @amosshapira report of no ssh-agent support for bastions. I am running packer 0.8.6:
|
Am I correct in assuming that when you run a packer template using |
Thanks @rickard-von-essen ! |
In our current company bastion host is conigured to use 2FA, so neither static password or private key are not cutting it. I wonder if we have feature request to either use control socket (ssh -S) or, at the very least, provide a way of asking two-factor credentials during packer runtime. |
Fixes #387
This builds on #1721 and makes an SSH bastion host available to all builders.
For docs I still want to do a bigger communicator section for the docs, so leaving it out for now since I inevitably have to go over every communicator config anyways.