Fix ProxyJump routing and SSH authentication configuration · 2f2d120

Fix ProxyJump routing and SSH authentication configuration
Browse files

bogdan committed 2 weeks ago

- Add ProxyJump support to config generator for default_jump in groups
- Update entrypoints/jumps handling to support identity_file and identities_only
- Configure j1/j2 to proxy through is-jumper (local lab setup)
- Update inventory with upstream changes (elastix host migration, aliases)
- Fix is-jumper identity file configuration to use is-jumper_ed25519 key

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

main

1 parent ad99528

commit 2f2d120

Showing 3 changed files with 25 additions and 4 deletions

+3 -0

inventory/hosts-local.yaml

View

@@ -54,6 +54,7 @@ jumps:
     hostname: 10.253.51.50
     port: 25904
     role: primary
+    proxy_jump: is-jumper
   j2:
     aliases: [j2, j2-local]
     hostname: 10.253.51.52
@@ -153,6 +154,8 @@ groups:
         hostname: 192.168.2.100
         user: root
         proxy_jump: none
+        identity_file: ~/.ssh/keys/is-jumper_ed25519
+        identities_only: true
       # xdev.ro local network hosts (accessed via is-jumper)
       is_mazeri:
         aliases: [is-mazeri]


+4 -3

inventory/hosts.yaml

View

@@ -98,9 +98,10 @@ groups:
         hostname: 193.16.148.153
         port: 60011
       elastix:
-        aliases: [elastix, 10.253.50.62, 188.173.1.15]
-        hostname: 10.253.50.62
+        aliases: [elastix, elastix-magazine, 10.253.51.136]
+        hostname: 10.253.51.136
         user: root
+        options: KexAlgorithms=+diffie-hellman-group14-sha1
       ss7:
         aliases: [ss7]
         hostname: 10.253.51.138
@@ -110,7 +111,7 @@ groups:
         hostname: 10.253.51.134
         user: bogdan
       voip_pbx_bo:
-        aliases: [voip-pbx-bo, pbx-bo, 10.253.51.135]
+        aliases: [voip-pbx-bo, pbx-bo, pbx-magazine, 10.253.51.135]
         hostname: 10.253.51.135
         user: bogdan
 


+18 -1

tools/generate-configs.py

View

@@ -83,11 +83,14 @@ def host_block(aliases, hostname, user=None, port=None, extra=None):
     proxy_jump = (extra or {}).pop("proxy_jump", None)
     route = (extra or {}).pop("route", None)
     identity_file = (extra or {}).pop("identity_file", None)
+    identities_only = (extra or {}).pop("identities_only", None)
 
     if route:
         lines.append(f"    SetEnv SSH_ROUTE={route}")
     if identity_file:
         lines.append(f"    IdentityFile {identity_file}")
+    if identities_only:
+        lines.append(f"    IdentitiesOnly {identities_only}")
     if auth == "password_interactive":
         lines.append("    SetEnv NG_SSH_AUTH=password-interactive")
         lines.append("    BatchMode no")
@@ -184,13 +187,21 @@ def emit_jumps(data, include_comments=True):
     defaults = data["defaults"]["jump"]
     for jump in data["jumps"].values():
         item = merged(defaults, {}, jump)
-        lines.extend(host_block(aliases_for_host(item), item["hostname"], item.get("user"), item.get("port")))
+        extra = {}
+        if item.get("proxy_jump"):
+            extra["proxy_jump"] = item["proxy_jump"]
+        if item.get("identity_file"):
+            extra["identity_file"] = item["identity_file"]
+        if "identities_only" in item:
+            extra["identities_only"] = fmt_bool(item["identities_only"])
+        lines.extend(host_block(aliases_for_host(item), item["hostname"], item.get("user"), item.get("port"), extra))
     return lines
 
 
 def emit_hosts_for_group(data, group, target, defaults):
     group_defaults = group.get("defaults", {})
     lines = []
+    group_jump = group.get("default_jump")
     for host in group.get("hosts", {}).values():
         if not should_emit_host_on_target(data, target, group_defaults, host):
             continue
@@ -203,6 +214,12 @@ def emit_hosts_for_group(data, group, target, defaults):
             extra["route"] = item["route"]
         if item.get("identity_file"):
             extra["identity_file"] = item["identity_file"]
+        if "identities_only" in item:
+            extra["identities_only"] = fmt_bool(item["identities_only"])
+        if item.get("proxy_jump"):
+            extra["proxy_jump"] = item["proxy_jump"]
+        elif group_jump:
+            extra["proxy_jump"] = group_jump
         user = item.get("user")
         port = item.get("port")
         if company_managed_rule(data, target, aliases, user, port):


	@@ -54,6 +54,7 @@ jumps:
54	54	hostname: 10.253.51.50
55	55	port: 25904
56	56	role: primary
	57	+ proxy_jump: is-jumper
57	58	j2:
58	59	aliases: [j2, j2-local]
59	60	hostname: 10.253.51.52
	@@ -153,6 +154,8 @@ groups:
153	154	hostname: 192.168.2.100
154	155	user: root
155	156	proxy_jump: none
	157	+ identity_file: ~/.ssh/keys/is-jumper_ed25519
	158	+ identities_only: true
156	159	# xdev.ro local network hosts (accessed via is-jumper)
157	160	is_mazeri:
158	161	aliases: [is-mazeri]

	@@ -98,9 +98,10 @@ groups:
98	98	hostname: 193.16.148.153
99	99	port: 60011
100	100	elastix:
101		- aliases: [elastix, 10.253.50.62, 188.173.1.15]
102		- hostname: 10.253.50.62
	101	+ aliases: [elastix, elastix-magazine, 10.253.51.136]
	102	+ hostname: 10.253.51.136
103	103	user: root
	104	+ options: KexAlgorithms=+diffie-hellman-group14-sha1
104	105	ss7:
105	106	aliases: [ss7]
106	107	hostname: 10.253.51.138
	@@ -110,7 +111,7 @@ groups:
110	111	hostname: 10.253.51.134
111	112	user: bogdan
112	113	voip_pbx_bo:
113		- aliases: [voip-pbx-bo, pbx-bo, 10.253.51.135]
	114	+ aliases: [voip-pbx-bo, pbx-bo, pbx-magazine, 10.253.51.135]
114	115	hostname: 10.253.51.135
115	116	user: bogdan
116	117

	@@ -83,11 +83,14 @@ def host_block(aliases, hostname, user=None, port=None, extra=None):
83	83	proxy_jump = (extra or {}).pop("proxy_jump", None)
84	84	route = (extra or {}).pop("route", None)
85	85	identity_file = (extra or {}).pop("identity_file", None)
	86	+ identities_only = (extra or {}).pop("identities_only", None)
86	87
87	88	if route:
88	89	lines.append(f" SetEnv SSH_ROUTE={route}")
89	90	if identity_file:
90	91	lines.append(f" IdentityFile {identity_file}")
	92	+ if identities_only:
	93	+ lines.append(f" IdentitiesOnly {identities_only}")
91	94	if auth == "password_interactive":
92	95	lines.append(" SetEnv NG_SSH_AUTH=password-interactive")
93	96	lines.append(" BatchMode no")
	@@ -184,13 +187,21 @@ def emit_jumps(data, include_comments=True):
184	187	defaults = data["defaults"]["jump"]
185	188	for jump in data["jumps"].values():
186	189	item = merged(defaults, {}, jump)
187		- lines.extend(host_block(aliases_for_host(item), item["hostname"], item.get("user"), item.get("port")))
	190	+ extra = {}
	191	+ if item.get("proxy_jump"):
	192	+ extra["proxy_jump"] = item["proxy_jump"]
	193	+ if item.get("identity_file"):
	194	+ extra["identity_file"] = item["identity_file"]
	195	+ if "identities_only" in item:
	196	+ extra["identities_only"] = fmt_bool(item["identities_only"])
	197	+ lines.extend(host_block(aliases_for_host(item), item["hostname"], item.get("user"), item.get("port"), extra))
188	198	return lines
189	199
190	200
191	201	def emit_hosts_for_group(data, group, target, defaults):
192	202	group_defaults = group.get("defaults", {})
193	203	lines = []
	204	+ group_jump = group.get("default_jump")
194	205	for host in group.get("hosts", {}).values():
195	206	if not should_emit_host_on_target(data, target, group_defaults, host):
196	207	continue
	@@ -203,6 +214,12 @@ def emit_hosts_for_group(data, group, target, defaults):
203	214	extra["route"] = item["route"]
204	215	if item.get("identity_file"):
205	216	extra["identity_file"] = item["identity_file"]
	217	+ if "identities_only" in item:
	218	+ extra["identities_only"] = fmt_bool(item["identities_only"])
	219	+ if item.get("proxy_jump"):
	220	+ extra["proxy_jump"] = item["proxy_jump"]
	221	+ elif group_jump:
	222	+ extra["proxy_jump"] = group_jump
206	223	user = item.get("user")
207	224	port = item.get("port")
208	225	if company_managed_rule(data, target, aliases, user, port):