Ansible integration with Teleport

[andersonaraujo]

What happened:
I followed the steps from this comment #1353 (comment) by @kontsevoy and I managed to successfully login into one of the nodes using the ssh symlink (manually typing the command).
However, when I run Ansible, it uses some additional parameters and the ssh command is failing:
Basically the tsh -> ssh symlink doesn't recognize the -o parameter:

What you expected to happen:
Given that tsh is supposed to be a fully compatible ssh client, I'd expect thetsh binary (accessed via symlink) to recognize the ssh -o parameter.

How to reproduce it (as minimally and precisely as possible):

# ssh is a symlink pointing to the tsh binary
ssh --identity '~/.ssh/teleport.pem' --proxy=proxy-name.com -o StrictHostKeyChecking=no centos@node

Environment:

• Teleport version (use teleport version): Teleport v2.7.2 git:v2.7.2-0-ge3054bf7
• Tsh version (use tsh version): Teleport v2.7.2 git:v2.7.2-0-ge3054bf7
• OS (e.g. from /etc/os-release):
  NAME="CentOS Linux"
  VERSION="7 (Core)"
  ID="centos"
  ID_LIKE="rhel fedora"
  VERSION_ID="7"
  PRETTY_NAME="CentOS Linux 7 (Core)"

[andersonaraujo]

Worth mention that I also tried to steps in the docs, including the tweaks in the ~/.ssh/config file, but didn't manage to overcome this error:

subsystem request failed on channel 0
ssh_exchange_identification: Connection closed by remote host

I'm fine using the symlink approach, if that works with Ansible.

[kontsevoy]

@andersonaraujo you need to turn this flag off in Ansible configuration. This particular flag has no meaning for tsh because Teleport does not suffer from trust-on-first-use issue like regular key-based SSH does.

Refer to Ansible documentation for how you can update ansible_ssh_common_args and/or ansible_ssh_extra_args to remove -o StrictHostKeyChecking=no flag.

[andersonaraujo]

@kontsevoy I'm afraid that's not the only -o option Ansible is adding by default.
In any case, I made progress with the ssh agent and managed to ssh into my node via Teleport using regular ssh.
However that requires me to run tsh login first to add the certificates into the ssh agent. In the context of automation, that might not be a feasible option. Any way around that?

[kontsevoy]

@andersonaraujo you need to generate a certificate with a longer expiration date, specifically for Anbisle robots:
https://gravitational.com/teleport/docs/user-manual/#ssh-certificates-for-automation

[kontsevoy]

@klizhentas I want to add this for consideration for 3.1 (support -o flag for some options for CLI compatibility with OpenSSH). To be discussed.

[kontsevoy]

Closing this and creating a more specific #2330

[faheemrao]

@andersonaraujo how did you change the OpenSSH to use the teleport using ssh command , can you please share the steps.

[andersonaraujo]

@faheemrao basically you have to:

1. run tsh login to install the certificates into the ssh agent;
2. then pass the following additional params to the ssh client:
   -p 3022 -o "ProxyCommand ssh -p 3023 teleport_cluster -s proxy:%h:%p"

Apparently you can skip step 1 #2217 (comment), but I never got that working because the certificate doesn't seem to be openssh-compatible (but I didn't spend too much time on it, tbh).