ProxyCommand ansible option throwing ssh: illegal option error

Alrick asked:


  • ansible 2.7.6
  • OpenSSH_7.4


I have a machine A that i can access only by a gateway that we call the machine G through ssh.

The external ip adress of the machine G is 10.X.X.X.

The internal ip adress of the machine A is

I want to apply an ansible playbook on the remote machine A using ProxyCommand option through the gateway machine G.

Into the group_vars/all inventory’s vars file inventory, i put the following option according the documentation :

ansible_ssh_common_args: '-o ProxyCommand="ssh -q -W %h:%p -p {{ JUMPER_PORT }} [email protected]{{ JUMPER_IP }}"'

I execute the following command line to trigger ansible :

ansible -i $PWD all \
-m ping \
--extra-vars="JUMPER_IP=10.X.X.X JUMPER_PORT=6666"

But the command throw an ssh illegal option error. Here is the output :

<---> (255, b'', b'ssh: illegal option -- -
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [- c cipher_spec]
   [-D [bind_address:]port] [- E log_file] [-e escape_char]
   [-F configfile] [-I pkcs11] [-i identity_file]
   [-J [[email protected]]host[:port]] [-L address] [-l login_name] [-m mac_spec]           
   [-O ctl_cmd] [-o option] [- p port] [-Q query_option] [-R address]           
   [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]          
   [[email protected]]hostname [command]

<global> SSH: EXEC ssh -C -o 
ControlMaster=auto -o . 
ControlPersist=60s -o 
-o PreferredAuthentications=gssapi-with-mic,gssapi- keyex,hostbased,publickey 
-o PasswordAuthentication=no 
-o ConnectTimeout=10
-o 'ProxyCommand=ssh -q -W %h:%p 
-p 6666 [email protected]'
-o ControlPath=/Users/me/.ansible/cp/853aabe504 
global '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''

--- | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: ssh: illegal option -- 
    -\nusage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c 
    cipher_spec]\n           [-D [bind_address:]port] [-E log_file] [-e 
    escape_char]\n           [-F configfile] [-I pkcs11] [-i 
    identity_file]\n           [-J [[email protected]]host[:port]] [-L address] [-l . 
    login_name] [-m mac_spec]\n           [-O ctl_cmd] [-o option] [-p 
    port] [-Q query_option] [-R address]\n           [-S ctl_path] [-W 
    host:port] [-w local_tun[:remote_tun]]\n           [[email protected]]hostname 
    "unreachable": true

It seems like the -W %h:%p do not replace the host and the port.

Any idea ?

My answer:

You’re following an extremely outdated tutorial.

Recent versions of OpenSSH, including the one you’re using, have a very simple syntax for specifying a jump host:

ssh -J [[email protected]]jumphost[:jumpport] destination

So you can simply do something like this:

ansible_ssh_common_args: "-J [email protected]{{JUMPER_IP}}:{{JUMPER_PORT}}"

As a matter of best practices, consider using a VPN, or IPv6, or both, to avoid the use of jump hosts wherever possible.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.