salt-ssh-bastion-wrapper

salt-ssh, now with SSH bastion support

Problem

When passed a hostname, salt-ssh will try to look it up in a roster file instead of looking it up, or checking its OpenSSH configuration.

When passed an IP address, it will directly connect with the host, but if you try to reach a host in your company's network that's behind a SSH bastion, you'll have to specify the specific OpenSSH configuration for the host, each and every time, unless you can afford having a host rule in your OpenSSH configuration (which might not always be the case, given the restrictions for addressing in a local network).

Solution

You can call this script as you would call salt-ssh, and pass it a FQDN in the domain of a local network that's behind a bastion. It will look up the proxy configuration in OpenSSH's configuration, lookup the IP address for that FQDN by SSH'ing to the bastion and calling dig, then call salt-ssh with the right proxy option and IP address.

Requirements

• The SSH bastion is required to have the dig binary in the user's $PATH.
• The local host (where this script is run) is required to use OpenSSH 7.3 (August 2016) or higher. In case that's not possible, the script can be edited accordingly (refer to the script's comments to identify the most recent features used).
• The configuration matching the hosts in OpenSSH's configuration is required to use the ProxyJump configuration rule.