Salt: Please support ProxyCommand in salt-ssh roster

@guettli, thanks for the report.

Just of the records. We solved the tunneling problem outside salt.

We run a systemd service which executes autossh.

Related: http://serverfault.com/questions/730239/start-n-processes-with-one-systemd-service-file

You can close this issue if you think so.

While this feature might be pretty handy, we simply solve this by using ~/.ssh/config for the user running salt-ssh. It has worked well.

@msummers42 a ProxyCommand in .ssh/config of the user where the master is running does help?

AFAIK the last time I checked this salt used paramiko and paramiko did not read .ssh/config.

What has changed? Does salt use a different ssh-API or does paramiko read .ssh/config now?

same question. @msummers42 , can you give more details about the config

salt-ssh does not use paramiko, but simply your system's ssh, probably openssh of you're on *nix.

Now, with this the case, we simply configure our user running salt-ssh to use an ssh bastion host via ~/.ssh/config.

# Basic initial config I like for an ssh client, use at your own risk
Host *
    # Mitigate CVE-2016-0777, CVE-2016-0778
    UseRoaming no
    # KeepAlive
    ServerAliveInterval 30
    ServerAliveCountMax 2
    # Crypto - this seems pretty safe, but might break with older hosts and could cause problems 
    # if you have already accepted hostkeys for nodes before you put this in. If so, just adjust the
    # KexAlgos
    KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
    HostKeyAlgorithms [email protected],[email protected],ssh-ed25519,ssh-rsa
    Ciphers [email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
    MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,[email protected]


# Here is our bastion host.
Host bastion
    Hostname bastion.minions.example.com
    User your_unpriv_user
    Port 22022   # You really don't use port 22 for a bastion host do you?
    # Use control master to make things faster
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@%h:%p
    ControlPersist 3600

# Here is config for our salt'd domain, exclude the bastion
Host *.minions.example.com !bastion.minions.example.com
    User admin_user # must be able to sudo, perhaps without password depending on your roster setup
    ProxyCommand ssh -W %h:%p bastion

That is it, works perfectly for our smallish team. You may want to include things like the following in each of the blocks specific to your network:

IdentifyFile ~/.ssh/your_id_rsa
IdentitiesOnly True

Does this help you @guettli @herry1234 ?

@msummers42 I know more now, but new comers should find the information sooner.

I am missing some information on this page:

https://docs.saltstack.com/en/latest/topics/ssh/roster.html

I am missing that ~/.ssh/config gets evaluated on the host running the salt-ssh command.

Should I open a new issue?

@jacobhammons I am going to change this over to a documentation issue, we should add to the docs that you can set configurations for ssh that salt-ssh will use and give this example case.

can I change the default ssh-config file location for salt-ssh?

@thebinary you want to change the location from ~/.ssh/config to something else? I like this question, but maybe it's better to ask this outside this issue. (I don't know if it is possible to change the location).

The new release will have ssh_options as config option in rosters.

See also #18540

ok, I close this

ssh_options were added in https://github.com/saltstack/salt/commit/16f21e57b295b558bac587da53a3942e4cf9888e