From f5eaac9f751ee5d6026ee2bea2677134ae10ee4d Mon Sep 17 00:00:00 2001 From: Miguel Jacq Date: Tue, 13 Jan 2026 21:56:28 +1100 Subject: [PATCH] Support `--remote-ssh-config [path-to-ssh-config]` as an argument in case extra params are required beyond `--remote-port` or `--remote-user`. Note: `--remote-host` must still be set, but it can be an 'alias' represented by the 'Host' value in the ssh config. --- CHANGELOG.md | 4 ++++ debian/changelog | 6 +++++ enroll/cli.py | 48 ++++++++++++++++++++++++++++++++------- enroll/remote.py | 59 ++++++++++++++++++++++++++++++++++++++++++++---- pyproject.toml | 2 +- rpm/enroll.spec | 5 +++- 6 files changed, 110 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 29da559..0772cc4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# 0.4.2 + + * Support `--remote-ssh-config [path-to-ssh-config]` as an argument in case extra params are required beyond `--remote-port` or `--remote-user`. Note: `--remote-host` must still be set, but it can be an 'alias' represented by the 'Host' value in the ssh config. + # 0.4.1 * Add interactive output when 'enroll diff --enforce' is invoking Ansible. diff --git a/debian/changelog b/debian/changelog index 086b52e..58e80e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +enroll (0.4.2) unstable; urgency=medium + + * Support `--remote-ssh-config [path-to-ssh-config]` as an argument in case extra params are required beyond `--remote-port` or `--remote-user`. Note: `--remote-host` must still be set, but it can be an 'alias' represented by the 'Host' value in the ssh config. + + -- Miguel Jacq Tue, 13 Jan 2026 21:55:00 +1100 + enroll (0.4.1) unstable; urgency=medium * Add interactive output when 'enroll diff --enforce' is invoking Ansible. diff --git a/enroll/cli.py b/enroll/cli.py index c1f0870..69e85ed 100644 --- a/enroll/cli.py +++ b/enroll/cli.py @@ -350,16 +350,33 @@ def _add_remote_args(p: argparse.ArgumentParser) -> None: "--remote-host", help="SSH host to run harvesting on (if set, harvest runs remotely and is pulled locally).", ) + p.add_argument( + "--remote-ssh-config", + nargs="?", + const=str(Path.home() / ".ssh" / "config"), + default=None, + help=( + "Use OpenSSH-style ssh_config settings for --remote-host. " + "If provided without a value, defaults to ~/.ssh/config. " + "(Applies HostName/User/Port/IdentityFile/ProxyCommand/HostKeyAlias when supported.)" + ), + ) p.add_argument( "--remote-port", type=int, - default=22, - help="SSH port for --remote-host (default: 22).", + default=None, + help=( + "SSH port for --remote-host. If omitted, defaults to 22, or a value from ssh_config when " + "--remote-ssh-config is set." + ), ) p.add_argument( "--remote-user", - default=os.environ.get("USER") or None, - help="SSH username for --remote-host (default: local $USER).", + default=None, + help=( + "SSH username for --remote-host. If omitted, defaults to local $USER, or a value from ssh_config when " + "--remote-ssh-config is set." + ), ) # Align terminology with Ansible: "become" == sudo. @@ -728,6 +745,17 @@ def main() -> None: ) args = ap.parse_args(argv) + # Preserve historical defaults for remote harvesting unless ssh_config lookup is enabled. + # This lets ssh_config values take effect when the user did not explicitly set + # --remote-user / --remote-port. + if hasattr(args, "remote_host"): + rsc = getattr(args, "remote_ssh_config", None) + if not rsc: + if getattr(args, "remote_port", None) is None: + setattr(args, "remote_port", 22) + if getattr(args, "remote_user", None) is None: + setattr(args, "remote_user", os.environ.get("USER") or None) + try: if args.cmd == "harvest": sops_fps = getattr(args, "sops", None) @@ -745,8 +773,9 @@ def main() -> None: ask_become_pass=args.ask_become_pass, local_out_dir=tmp_bundle, remote_host=args.remote_host, - remote_port=int(args.remote_port), + remote_port=args.remote_port, remote_user=args.remote_user, + remote_ssh_config=args.remote_ssh_config, dangerous=bool(args.dangerous), no_sudo=bool(args.no_sudo), include_paths=list(getattr(args, "include_path", []) or []), @@ -766,8 +795,9 @@ def main() -> None: ask_become_pass=args.ask_become_pass, local_out_dir=out_dir, remote_host=args.remote_host, - remote_port=int(args.remote_port), + remote_port=args.remote_port, remote_user=args.remote_user, + remote_ssh_config=args.remote_ssh_config, dangerous=bool(args.dangerous), no_sudo=bool(args.no_sudo), include_paths=list(getattr(args, "include_path", []) or []), @@ -968,8 +998,9 @@ def main() -> None: ask_become_pass=args.ask_become_pass, local_out_dir=tmp_bundle, remote_host=args.remote_host, - remote_port=int(args.remote_port), + remote_port=args.remote_port, remote_user=args.remote_user, + remote_ssh_config=args.remote_ssh_config, dangerous=bool(args.dangerous), no_sudo=bool(args.no_sudo), include_paths=list(getattr(args, "include_path", []) or []), @@ -998,8 +1029,9 @@ def main() -> None: ask_become_pass=args.ask_become_pass, local_out_dir=harvest_dir, remote_host=args.remote_host, - remote_port=int(args.remote_port), + remote_port=args.remote_port, remote_user=args.remote_user, + remote_ssh_config=args.remote_ssh_config, dangerous=bool(args.dangerous), no_sudo=bool(args.no_sudo), include_paths=list(getattr(args, "include_path", []) or []), diff --git a/enroll/remote.py b/enroll/remote.py index 93cee74..c7b54a6 100644 --- a/enroll/remote.py +++ b/enroll/remote.py @@ -330,8 +330,9 @@ def _remote_harvest( *, local_out_dir: Path, remote_host: str, - remote_port: int = 22, + remote_port: Optional[int] = None, remote_user: Optional[str] = None, + remote_ssh_config: Optional[str] = None, remote_python: str = "python3", dangerous: bool = False, no_sudo: bool = False, @@ -370,10 +371,60 @@ def _remote_harvest( # Users should add the key to known_hosts. ssh.set_missing_host_key_policy(paramiko.RejectPolicy()) + # Resolve SSH connection parameters. + connect_host = remote_host + connect_port = int(remote_port) if remote_port is not None else 22 + connect_user = remote_user + key_filename = None + sock = None + hostkey_name = connect_host + + if remote_ssh_config: + from paramiko.config import SSHConfig # type: ignore + from paramiko.proxy import ProxyCommand # type: ignore + import socket as _socket + + cfg_path = Path(str(remote_ssh_config)).expanduser() + if not cfg_path.exists(): + raise RuntimeError(f"SSH config file not found: {cfg_path}") + + cfg = SSHConfig() + with cfg_path.open("r", encoding="utf-8") as _fp: + cfg.parse(_fp) + hcfg = cfg.lookup(remote_host) + + connect_host = str(hcfg.get("hostname") or remote_host) + hostkey_name = str(hcfg.get("hostkeyalias") or connect_host) + + if remote_port is None and hcfg.get("port"): + try: + connect_port = int(str(hcfg.get("port"))) + except ValueError: + pass + if connect_user is None and hcfg.get("user"): + connect_user = str(hcfg.get("user")) + + ident = hcfg.get("identityfile") + if ident: + if isinstance(ident, (list, tuple)): + key_filename = [str(Path(p).expanduser()) for p in ident] + else: + key_filename = str(Path(str(ident)).expanduser()) + + proxycmd = hcfg.get("proxycommand") + if proxycmd: + sock = ProxyCommand(str(proxycmd)) + elif hostkey_name != connect_host: + # If HostKeyAlias is used, connect to HostName via a socket but + # use HostKeyAlias for known_hosts lookups. + sock = _socket.create_connection((connect_host, connect_port)) + ssh.connect( - hostname=remote_host, - port=int(remote_port), - username=remote_user, + hostname=hostkey_name if sock is not None else connect_host, + port=connect_port, + username=connect_user, + key_filename=key_filename, + sock=sock, allow_agent=True, look_for_keys=True, ) diff --git a/pyproject.toml b/pyproject.toml index 84b7887..92756d1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "enroll" -version = "0.4.1" +version = "0.4.2" description = "Enroll a server's running state retrospectively into Ansible" authors = ["Miguel Jacq "] license = "GPL-3.0-or-later" diff --git a/rpm/enroll.spec b/rpm/enroll.spec index 30bac4e..98f3f8f 100644 --- a/rpm/enroll.spec +++ b/rpm/enroll.spec @@ -1,4 +1,4 @@ -%global upstream_version 0.4.1 +%global upstream_version 0.4.2 Name: enroll Version: %{upstream_version} @@ -43,6 +43,9 @@ Enroll a server's running state retrospectively into Ansible. %{_bindir}/enroll %changelog +* Tue Jan 13 2026 Miguel Jacq - %{version}-%{release} +- Support `--remote-ssh-config [path-to-ssh-config]` as an argument in case extra params are required beyond `--remote-port` or `--remote-user`. Note: `--remote-host` must still be s +et, but it can be an 'alias' represented by the 'Host' value in the ssh config. * Sun Jan 11 2026 Miguel Jacq - %{version}-%{release} - Add interactive output when 'enroll diff --enforce' is invoking Ansible. * Sat Jan 10 2026 Miguel Jacq - %{version}-%{release}