Ask questionssalt-ssh always tries to connect to reverse hostname
Can't connect to a minion via
salt-ssh, although plain
ssh works just fine. It looks like salt does reverse IP lookup and then uses this new address to connect via ssh. The machine is located behind a NAT and the connection is established via port-forwarding.
% salt-ssh --user pi --sudo -i minion.example.com test.ping 11-22-33-44.provider.com: ssh: Could not resolve hostname 11-22-33-44.provider.com: nodename nor servname provided, or not known
The same with IP address:
% salt-ssh --user pi --sudo -i 22.214.171.124 test.ping 11-22-33-44.provider.com: ssh: Could not resolve hostname 11-22-33-44.provider.com: nodename nor servname provided, or not known
dig +short minion.example.com 126.96.36.199 dig +short -x 188.8.131.52 184.108.40.206.provider.com. dig +short 220.127.116.11.provider.com.
Note the last command. It doesn't return anything, and that is the reason why it fails.
And also the second command
dig +short -x 18.104.22.168 could return any garbage (it is set up by the hosting provider, not by the owner of example.com). Salt shouldn't trust that data to connect to hosts.
The log below shows that salt-ssh uses reverse hostname to connect and not the one I specified on the command line. I feel this could be potentially bad security-wise.
[TRACE ] Terminal Command: /bin/sh -c 11-22-33-44.provider.com -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o Port=22 -o IdentityFile=agent-forwarding -o User=pi /bin/sh << 'EOF'
Salt Version: Salt: 2018.3.2 Dependency Versions: cffi: 1.11.5 cherrypy: Not Installed dateutil: Not Installed docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed ioflo: Not Installed Jinja2: 2.10 libgit2: Not Installed libnacl: Not Installed M2Crypto: Not Installed Mako: Not Installed msgpack-pure: Not Installed msgpack-python: 0.5.6 mysql-python: Not Installed pycparser: 2.18 pycrypto: 2.6.1 pycryptodome: Not Installed pygit2: Not Installed Python: 3.6.6 (default, Jun 28 2018, 05:43:53) python-gnupg: Not Installed PyYAML: 3.13 PyZMQ: 17.1.2 RAET: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.2.5 System Versions: dist: locale: UTF-8 machine: x86_64 release: 17.7.0 system: Darwin version: 10.13.6 x86_64
Answer questions jf
To add on (why, why, why) I now discover that with the latest version of salt-ssh on the mac, whereas in the past I just needed to have a host be added to
/etc/salt/roster, now I need to have a reverse entry for it in
/etc/hosts as well??
Without an entry in
# salt-ssh vm-aa test.ping [ERROR ] Target 'vm-aa' did not return any data, probably due to an error. vm-aa: Target 'vm-aa' did not return any data, probably due to an error.
Salt Version: Salt: 3000.1 Dependency Versions: cffi: 1.12.2 cherrypy: unknown dateutil: 2.8.0 docker-py: Not Installed gitdb: 2.0.6 gitpython: 2.1.15 Jinja2: 2.10.1 libgit2: Not Installed M2Crypto: Not Installed Mako: 1.0.7 msgpack-pure: Not Installed msgpack-python: 0.5.6 mysql-python: Not Installed pycparser: 2.19 pycrypto: 3.8.1 pycryptodome: Not Installed pygit2: Not Installed Python: 3.5.4 (default, Mar 27 2020, 15:24:03) python-gnupg: 0.4.4 PyYAML: 5.1.2 PyZMQ: 18.0.1 smmap: 3.0.1 timelib: 0.2.4 Tornado: 4.5.3 ZMQ: 4.3.1 System Versions: dist: locale: UTF-8 machine: x86_64 release: 19.3.0 system: Darwin version: 10.15.3 x86_64