Use Chef Knife with SDM

Last modified on March 24, 2023

When using the knife ssh command, Knife reaches out to the Chef server with a query string, Chef responds back with a list of hosts that match that query string, and Knife then runs commands via SSH on all returned hosts. This document describes how to set up StrongDM SSH functionality to work with the knife ssh command.

  1. Configure all Chef-configured SSH hosts in StrongDM under the Servers page. Grant appropriate role-based access to these servers to the StrongDM users that will be using Knife.

  2. At the command line of a system running the StrongDM client, run sdm ssh config. This will do two things:

    1. Generate an SSH config file in $HOME/.sdm/ssh_config containing entries for each SSH server the user has rights to
    2. Add a line to the top of $HOME/.ssh/config to reference the generated file
  3. Connect to the servers you want to access using sdm: either click on each one in the UI and ensure the green lightning bolt icon is visible next to each, or run sdm connect sdm_server_name for each (or optionally, sdm connect --all).

  4. To test, run a Knife command that will reference one specific host that is now in your custom ssh_config. If you have not explicitly connected to that host, you should get a Connection refused error.

Not connected via sdm

$ sdm status
     SSH SERVER                   STATUS            PORT      TYPE
     chefnode1                    not connected     61927     ssh
$ knife ssh 'name:node1-ubuntu' 'echo hello'
WARNING: Failed to connect to ec2-xx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com -- Errno::ECONNREFUSED: Connection refused - connect(2) for [::1]:61927

Connected via sdm

$ sdm connect chefnode1
connect successful
$ sdm status
     SSH SERVER                   STATUS            PORT      TYPE
     chefnode1                    connected         61927     ssh
$ knife ssh 'name:node1-ubuntu' 'echo hello'
ec2-xx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com hello