This should be a very short blog post, but long enough to justify a blog post instead of a 'tweet' : I had myself a small issue with mitogen plugin in our Ansible infra.

To cut a long story short, everybody knows that ansible relies on ssh as transport. So one can use traditional ~/.ssh/config tuning to declare ProxyJump for some hosts, etc

But when you use mitogen (we do), in the official doc there is a mention of specific parameter for connection delegation : mitogen_via

The simple example on the webpage seems trivial and if you have multiple hosts that need to be configured from remote ansible+mitogen combo, using mitogen would speed things up as it would know about the host topology.

That's what I thought when having a look at the simple inventory on that web page:

[dc2]
web1.dc2
web2.dc2
web3.dc2

[dc2:vars]
mitogen_via = bastion.dc2

Sounds easy but when I tried quickly to use mitogen_via , something that I thought would be obvious in fact wasn't. My understanding was that mitogen would automatically force agent forwarding when going through the bastion host. A simple ansible -m ping (let's assume web1.dc2 in their example) returned me :

web1.dc2 | UNREACHABLE! => {
    "changed": false,
    "msg": "error occurred on host bastion.dc2: SSH authentication is incorrect",
    "unreachable": true
}

Well, we can see from the returned json that it was trying to pass through bastion.dc2 and that's confirmed on web1.dc2 :

Oct 28 15:52:36 web1.dc2 sshd[12913]: Connection closed by <ip_from_bastion.dc2> port 56728 [preauth]

Then I thought about something that was obvious to me but that mitogen (just reusing underlying ssh) doesn't do automatically : Forwarding the ssh agent to the nodes behind.

We can easily solve that with one simple ansible parameter : ansible has the ansible_ssh_common_args and ansible_ssh_extra_args parameters, specific to the SSH connection

So what about we force Agent Forward just on that bastion host and see how that works ? That means that in our inventory (but can go to host_vars/bastion.dc2 too) we just have to add parameter:

bastion.dc2 ansible_ssh_extra_args='-o ForwardAgent=yes'

Let's try again :

web1.dc2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

Good, so we can push that for our bastion hosts (used in inventory for mitogen_via) in host_vars or group_vars and call it a day. The reason why I prefer using ansible_ssh_extra_args is that it will merge and add settings, in case you have already something like this in your ansible.cfg :

[ssh_connection]
ssh_args =

I like the logic that we don't need to modify ~/.ssh/config with all exceptions to reflect the infra layout but we can just reflect it in ansible inventory