Use Chef Knife with SDM

Last modified on March 24, 2023

When using the knife ssh command, Knife reaches out to the Chef server with a query string, Chef responds back with a list of hosts that match that query string, and Knife then runs commands via SSH on all returned hosts. This document describes how to set up StrongDM SSH functionality to work with the knife ssh command.

This guide assumes all relevant servers have already been configured to work with Chef and are using an SSH client that supports the Include directive (OpenSSH 7.3+).

Configure all Chef-configured SSH hosts in StrongDM under the Servers page. Grant appropriate role-based access to these servers to the StrongDM users that will be using Knife.
At the command line of a system running the StrongDM client, run sdm ssh config. This will do two things:
1. Generate an SSH config file in $HOME/.sdm/ssh_config containing entries for each SSH server the user has rights to
2. Add a line to the top of $HOME/.ssh/config to reference the generated file
The sdm ssh config command will generate an ssh_config file based on how the SSH server is configured within StrongDM. Keep in mind that Knife resolves IP addresses on the client side, so in order for StrongDM to properly intercept those SSH calls, it must be aware of the hostname of the SSH server as seen by the Knife client. In practice, this means setting up the SSH servers in the StrongDM UI with the hostname that Knife resolves and uses.
Connect to the servers you want to access using sdm: either click on each one in the UI and ensure the green lightning bolt icon is visible next to each, or run sdm connect sdm_server_name for each (or optionally, sdm connect --all).
To test, run a Knife command that will reference one specific host that is now in your custom ssh_config. If you have not explicitly connected to that host, you should get a Connection refused error.

Not connected via sdm

$ sdm status
     SSH SERVER                   STATUS            PORT      TYPE
     chefnode1                    not connected     61927     ssh
$ knife ssh 'name:node1-ubuntu' 'echo hello'
WARNING: Failed to connect to ec2-xx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com -- Errno::ECONNREFUSED: Connection refused - connect(2) for [::1]:61927

Connected via sdm

$ sdm connect chefnode1
connect successful
$ sdm status
     SSH SERVER                   STATUS            PORT      TYPE
     chefnode1                    connected         61927     ssh
$ knife ssh 'name:node1-ubuntu' 'echo hello'
ec2-xx-xxx-xxx-xxx.us-west-2.compute.amazonaws.com hello