2015-10-31 18:56:49 +00:00
|
|
|
/*
|
|
|
|
Copyright 2015 Gravitational, Inc.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
2016-03-12 04:09:40 +00:00
|
|
|
|
2015-10-13 00:50:36 +00:00
|
|
|
package service
|
|
|
|
|
|
|
|
import (
|
2017-04-07 23:51:31 +00:00
|
|
|
"fmt"
|
2016-03-11 01:03:01 +00:00
|
|
|
"io"
|
2016-02-10 00:09:21 +00:00
|
|
|
"os"
|
2017-11-22 01:35:58 +00:00
|
|
|
"path/filepath"
|
2017-04-07 23:51:31 +00:00
|
|
|
"time"
|
2016-02-09 21:46:34 +00:00
|
|
|
|
2017-06-10 02:32:31 +00:00
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
|
2016-03-28 19:58:34 +00:00
|
|
|
"github.com/gravitational/teleport/lib/auth"
|
2016-12-27 02:50:59 +00:00
|
|
|
"github.com/gravitational/teleport/lib/backend"
|
2018-05-03 17:58:22 +00:00
|
|
|
"github.com/gravitational/teleport/lib/backend/dir"
|
2016-02-10 00:09:21 +00:00
|
|
|
"github.com/gravitational/teleport/lib/defaults"
|
2018-03-04 02:26:44 +00:00
|
|
|
"github.com/gravitational/teleport/lib/events"
|
2015-12-03 09:26:34 +00:00
|
|
|
"github.com/gravitational/teleport/lib/limiter"
|
2018-02-24 01:23:09 +00:00
|
|
|
"github.com/gravitational/teleport/lib/pam"
|
2015-10-25 23:13:12 +00:00
|
|
|
"github.com/gravitational/teleport/lib/services"
|
2017-11-25 01:09:11 +00:00
|
|
|
"github.com/gravitational/teleport/lib/sshca"
|
2015-10-25 23:13:12 +00:00
|
|
|
"github.com/gravitational/teleport/lib/utils"
|
|
|
|
|
2017-08-28 18:42:14 +00:00
|
|
|
"github.com/ghodss/yaml"
|
2015-10-13 00:50:36 +00:00
|
|
|
)
|
|
|
|
|
2016-02-14 05:09:17 +00:00
|
|
|
// Config structure is used to initialize _all_ services Teleporot can run.
|
2017-11-25 01:09:11 +00:00
|
|
|
// Some settings are global (like DataDir) while others are grouped into
|
2016-02-14 05:09:17 +00:00
|
|
|
// sections, like AuthConfig
|
2015-10-13 00:50:36 +00:00
|
|
|
type Config struct {
|
2016-03-28 19:58:34 +00:00
|
|
|
// DataDir provides directory where teleport stores it's permanent state
|
|
|
|
// (in case of auth server backed by BoltDB) or local state, e.g. keys
|
|
|
|
DataDir string
|
|
|
|
|
|
|
|
// Hostname is a node host name
|
2016-02-14 05:09:17 +00:00
|
|
|
Hostname string
|
2015-10-13 00:50:36 +00:00
|
|
|
|
2016-05-12 07:44:25 +00:00
|
|
|
// Token is used to register this Teleport instance with the auth server
|
|
|
|
Token string
|
|
|
|
|
2016-03-18 01:42:04 +00:00
|
|
|
// AuthServers is a list of auth servers nodes, proxies and peer auth servers
|
|
|
|
// connect to
|
2016-03-28 19:58:34 +00:00
|
|
|
AuthServers []utils.NetAddr
|
|
|
|
|
|
|
|
// Identities is an optional list of pre-generated key pairs
|
|
|
|
// for teleport roles, this is helpful when server is preconfigured
|
|
|
|
Identities []*auth.Identity
|
2015-10-13 00:50:36 +00:00
|
|
|
|
2018-05-02 22:45:31 +00:00
|
|
|
// AdvertiseIP is used to "publish" an alternative IP address or hostname this node
|
2016-03-12 04:09:40 +00:00
|
|
|
// can be reached on, if running behind NAT
|
2018-05-02 22:45:31 +00:00
|
|
|
AdvertiseIP string
|
2016-03-12 04:09:40 +00:00
|
|
|
|
2017-04-07 23:51:31 +00:00
|
|
|
// CachePolicy sets caching policy for nodes and proxies
|
|
|
|
// in case if they loose connection to auth servers
|
|
|
|
CachePolicy CachePolicy
|
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// SSH role an SSH endpoint server
|
2016-02-14 05:09:17 +00:00
|
|
|
SSH SSHConfig
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2017-11-22 01:35:58 +00:00
|
|
|
// Auth server authentication and authorization server config
|
2016-02-14 05:09:17 +00:00
|
|
|
Auth AuthConfig
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2016-04-10 09:44:40 +00:00
|
|
|
// Keygen points to a key generator implementation
|
2017-11-25 01:09:11 +00:00
|
|
|
Keygen sshca.Authority
|
2016-04-10 09:44:40 +00:00
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// Proxy is SSH proxy that manages incoming and outbound connections
|
|
|
|
// via multiple reverse tunnels
|
2016-02-14 05:09:17 +00:00
|
|
|
Proxy ProxyConfig
|
2016-02-08 22:51:22 +00:00
|
|
|
|
2016-03-28 19:58:34 +00:00
|
|
|
// HostUUID is a unique UUID of this host (it will be known via this UUID within
|
2016-03-04 02:02:48 +00:00
|
|
|
// a teleport cluster). It's automatically generated on 1st start
|
|
|
|
HostUUID string
|
|
|
|
|
2016-02-08 22:51:22 +00:00
|
|
|
// Console writer to speak to a user
|
|
|
|
Console io.Writer
|
2016-03-28 19:58:34 +00:00
|
|
|
|
|
|
|
// ReverseTunnels is a list of reverse tunnels to create on the
|
|
|
|
// first cluster start
|
|
|
|
ReverseTunnels []services.ReverseTunnel
|
2016-04-02 00:58:41 +00:00
|
|
|
|
2016-04-03 05:20:51 +00:00
|
|
|
// OIDCConnectors is a list of trusted OpenID Connect identity providers
|
|
|
|
OIDCConnectors []services.OIDCConnector
|
|
|
|
|
2016-04-02 00:58:41 +00:00
|
|
|
// PidFile is a full path of the PID file for teleport daemon
|
2016-04-02 01:03:57 +00:00
|
|
|
PIDFile string
|
2016-04-05 00:26:15 +00:00
|
|
|
|
|
|
|
// Trust is a service that manages users and credentials
|
|
|
|
Trust services.Trust
|
|
|
|
|
|
|
|
// Presence service is a discovery and hearbeat tracker
|
|
|
|
Presence services.Presence
|
|
|
|
|
|
|
|
// Provisioner is a service that keeps track of provisioning tokens
|
|
|
|
Provisioner services.Provisioner
|
|
|
|
|
|
|
|
// Trust is a service that manages users and credentials
|
|
|
|
Identity services.Identity
|
2016-06-17 06:50:12 +00:00
|
|
|
|
2016-12-14 23:48:36 +00:00
|
|
|
// Access is a service that controls access
|
|
|
|
Access services.Access
|
2017-06-10 02:32:31 +00:00
|
|
|
|
2018-01-20 19:25:31 +00:00
|
|
|
// ClusterConfiguration is a service that provides cluster configuration
|
|
|
|
ClusterConfiguration services.ClusterConfiguration
|
|
|
|
|
2018-06-08 23:50:43 +00:00
|
|
|
// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
|
|
|
|
// omitted, a Teleport selected list of defaults will be used.
|
|
|
|
CipherSuites []uint16
|
|
|
|
|
|
|
|
// Ciphers is a list of SSH ciphers that the server supports. If omitted,
|
2017-06-10 02:32:31 +00:00
|
|
|
// the defaults will be used.
|
|
|
|
Ciphers []string
|
|
|
|
|
2018-06-08 23:50:43 +00:00
|
|
|
// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
|
2017-06-10 02:32:31 +00:00
|
|
|
// server supports. If omitted, the defaults will be used.
|
|
|
|
KEXAlgorithms []string
|
|
|
|
|
2018-06-08 23:50:43 +00:00
|
|
|
// MACAlgorithms is a list of SSH message authentication codes (MAC) that
|
2017-06-10 02:32:31 +00:00
|
|
|
// the server supports. If omitted the defaults will be used.
|
|
|
|
MACAlgorithms []string
|
2018-02-08 02:32:50 +00:00
|
|
|
|
|
|
|
// DiagnosticAddr is an address for diagnostic and healthz endpoint service
|
|
|
|
DiagnosticAddr utils.NetAddr
|
2018-02-17 23:51:57 +00:00
|
|
|
|
|
|
|
// Debug sets debugging mode, results in diagnostic address
|
|
|
|
// endpoint extended with additional /debug handlers
|
|
|
|
Debug bool
|
2018-03-04 02:26:44 +00:00
|
|
|
|
|
|
|
// UploadEventsC is a channel for upload events
|
|
|
|
// used in tests
|
2018-03-18 02:47:06 +00:00
|
|
|
UploadEventsC chan *events.UploadEvent `json:"-"`
|
2018-04-08 21:37:33 +00:00
|
|
|
|
|
|
|
// FileDescriptors is an optional list of file descriptors for the process
|
|
|
|
// to inherit and use for listeners, used for in-process updates.
|
|
|
|
FileDescriptors []FileDescriptor
|
|
|
|
|
|
|
|
// PollingPeriod is set to override default internal polling periods
|
|
|
|
// of sync agents, used to speed up integration tests.
|
|
|
|
PollingPeriod time.Duration
|
|
|
|
|
|
|
|
// ClientTimeout is set to override default client timeouts
|
|
|
|
// used by internal clients, used to speed up integration tests.
|
|
|
|
ClientTimeout time.Duration
|
|
|
|
|
|
|
|
// ShutdownTimeout is set to override default shutdown timeout.
|
|
|
|
ShutdownTimeout time.Duration
|
2015-10-13 00:50:36 +00:00
|
|
|
}
|
|
|
|
|
2016-02-17 02:19:21 +00:00
|
|
|
// ApplyToken assigns a given token to all internal services but only if token
|
|
|
|
// is not an empty string.
|
|
|
|
//
|
|
|
|
// Returns 'true' if token was modified
|
|
|
|
func (cfg *Config) ApplyToken(token string) bool {
|
|
|
|
if token != "" {
|
2016-05-12 07:44:25 +00:00
|
|
|
cfg.Token = token
|
2016-02-17 02:19:21 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2016-03-11 01:03:01 +00:00
|
|
|
// RoleConfig is a config for particular Teleport role
|
2015-10-27 00:58:39 +00:00
|
|
|
func (cfg *Config) RoleConfig() RoleConfig {
|
|
|
|
return RoleConfig{
|
|
|
|
DataDir: cfg.DataDir,
|
2016-03-05 00:27:52 +00:00
|
|
|
HostUUID: cfg.HostUUID,
|
2016-03-06 00:47:03 +00:00
|
|
|
HostName: cfg.Hostname,
|
2015-10-27 00:58:39 +00:00
|
|
|
AuthServers: cfg.AuthServers,
|
|
|
|
Auth: cfg.Auth,
|
2016-02-08 22:51:22 +00:00
|
|
|
Console: cfg.Console,
|
2015-10-27 00:58:39 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-03-11 01:03:01 +00:00
|
|
|
// DebugDumpToYAML is useful for debugging: it dumps the Config structure into
|
2016-02-09 04:55:13 +00:00
|
|
|
// a string
|
|
|
|
func (cfg *Config) DebugDumpToYAML() string {
|
2016-03-28 19:58:34 +00:00
|
|
|
shallow := *cfg
|
|
|
|
// do not copy sensitive data to stdout
|
|
|
|
shallow.Identities = nil
|
|
|
|
shallow.Auth.Authorities = nil
|
|
|
|
out, err := yaml.Marshal(shallow)
|
2016-02-09 04:55:13 +00:00
|
|
|
if err != nil {
|
|
|
|
return err.Error()
|
|
|
|
}
|
|
|
|
return string(out)
|
|
|
|
}
|
|
|
|
|
2017-04-07 23:51:31 +00:00
|
|
|
// CachePolicy sets caching policy for proxies and nodes
|
|
|
|
type CachePolicy struct {
|
|
|
|
// Enabled enables or disables caching
|
|
|
|
Enabled bool
|
|
|
|
// TTL sets maximum TTL for the cached values
|
|
|
|
// without explicit TTL set
|
|
|
|
TTL time.Duration
|
|
|
|
// NeverExpires means that cache values without TTL
|
|
|
|
// set by the auth server won't expire
|
|
|
|
NeverExpires bool
|
2018-01-30 23:54:37 +00:00
|
|
|
// RecentTTL is the recently accessed items cache TTL
|
|
|
|
RecentTTL *time.Duration
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetRecentTTL either returns TTL that was set,
|
|
|
|
// or default recent TTL value
|
|
|
|
func (c *CachePolicy) GetRecentTTL() time.Duration {
|
|
|
|
if c.RecentTTL == nil {
|
|
|
|
return defaults.RecentCacheTTL
|
|
|
|
}
|
|
|
|
return *c.RecentTTL
|
2017-04-07 23:51:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// String returns human-friendly representation of the policy
|
|
|
|
func (c CachePolicy) String() string {
|
|
|
|
if !c.Enabled {
|
|
|
|
return "no cache policy"
|
|
|
|
}
|
2018-01-30 23:54:37 +00:00
|
|
|
recentCachePolicy := ""
|
|
|
|
if c.GetRecentTTL() == 0 {
|
|
|
|
recentCachePolicy = "will not cache frequently accessed items"
|
|
|
|
} else {
|
|
|
|
recentCachePolicy = fmt.Sprintf("will cache frequently accessed items for %v", c.GetRecentTTL())
|
|
|
|
}
|
2017-04-07 23:51:31 +00:00
|
|
|
if c.NeverExpires {
|
2018-02-08 02:32:50 +00:00
|
|
|
return fmt.Sprintf("cache that will not expire in case if connection to database is lost, %v", recentCachePolicy)
|
2017-04-07 23:51:31 +00:00
|
|
|
}
|
|
|
|
if c.TTL == 0 {
|
2018-02-08 02:32:50 +00:00
|
|
|
return fmt.Sprintf("cache that will expire after connection to database is lost after %v, %v", defaults.CacheTTL, recentCachePolicy)
|
2017-04-07 23:51:31 +00:00
|
|
|
}
|
2018-02-08 02:32:50 +00:00
|
|
|
return fmt.Sprintf("cache that will expire after connection to database is lost after %v, %v", c.TTL, recentCachePolicy)
|
2017-04-07 23:51:31 +00:00
|
|
|
}
|
|
|
|
|
2018-08-02 00:25:16 +00:00
|
|
|
// ProxyConfig specifies configuration for proxy service
|
2015-10-24 23:04:13 +00:00
|
|
|
type ProxyConfig struct {
|
|
|
|
// Enabled turns proxy role on or off for this process
|
2016-02-14 05:09:17 +00:00
|
|
|
Enabled bool
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2017-10-29 10:50:29 +00:00
|
|
|
//DisableTLS is enabled if we don't want self signed certs
|
|
|
|
DisableTLS bool
|
|
|
|
|
2017-05-20 19:52:03 +00:00
|
|
|
// DisableWebInterface allows to turn off serving the Web UI interface
|
|
|
|
DisableWebInterface bool
|
|
|
|
|
|
|
|
// DisableWebService turnes off serving web service completely, including web UI
|
|
|
|
DisableWebService bool
|
|
|
|
|
|
|
|
// DisableReverseTunnel disables reverse tunnel on the proxy
|
|
|
|
DisableReverseTunnel bool
|
2016-04-06 08:15:04 +00:00
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// ReverseTunnelListenAddr is address where reverse tunnel dialers connect to
|
2016-02-14 05:09:17 +00:00
|
|
|
ReverseTunnelListenAddr utils.NetAddr
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2018-01-06 00:20:56 +00:00
|
|
|
// EnableProxyProtocol enables proxy protocol support
|
|
|
|
EnableProxyProtocol bool
|
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// WebAddr is address for web portal of the proxy
|
2016-02-14 05:09:17 +00:00
|
|
|
WebAddr utils.NetAddr
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2015-11-02 21:02:34 +00:00
|
|
|
// SSHAddr is address of ssh proxy
|
2016-02-14 05:09:17 +00:00
|
|
|
SSHAddr utils.NetAddr
|
2015-10-31 01:17:37 +00:00
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// TLSKey is a base64 encoded private key used by web portal
|
2016-02-14 05:09:17 +00:00
|
|
|
TLSKey string
|
2015-10-26 02:30:42 +00:00
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// TLSCert is a base64 encoded certificate used by web portal
|
2016-02-14 05:09:17 +00:00
|
|
|
TLSCert string
|
2015-12-02 18:51:32 +00:00
|
|
|
|
2016-02-14 05:09:17 +00:00
|
|
|
Limiter limiter.LimiterConfig
|
2017-03-17 01:22:27 +00:00
|
|
|
|
2018-05-02 22:45:31 +00:00
|
|
|
// PublicAddrs is a list of the public addresses the Teleport UI can be accessed at,
|
|
|
|
// it also affects the SSH host principals and DNS names added to the SSH and TLS certs.
|
|
|
|
PublicAddrs []utils.NetAddr
|
2018-08-02 00:25:16 +00:00
|
|
|
|
|
|
|
// Kube specifies kubernetes proxy configuration
|
|
|
|
Kube KubeProxyConfig
|
|
|
|
}
|
|
|
|
|
|
|
|
// KubeProxyConfig specifies configuration for proxy service
|
|
|
|
type KubeProxyConfig struct {
|
|
|
|
// Enabled turns kubernetes proxy role on or off for this process
|
|
|
|
Enabled bool
|
|
|
|
|
|
|
|
// ListenAddr is address where reverse tunnel dialers connect to
|
|
|
|
ListenAddr utils.NetAddr
|
|
|
|
|
|
|
|
// KubeAPIAddr is address of kubernetes API server
|
|
|
|
APIAddr utils.NetAddr
|
|
|
|
|
|
|
|
// ClusterOverride causes all traffic to go to a specific remote
|
|
|
|
// cluster, used only in tests
|
|
|
|
ClusterOverride string
|
|
|
|
|
|
|
|
// CACert is a PEM encoded kubernetes CA certificate
|
|
|
|
CACert []byte
|
|
|
|
|
|
|
|
// PublicAddrs is a list of the public addresses the Teleport Kube proxy can be accessed by,
|
|
|
|
// it also affects the host principals and routing logic
|
|
|
|
PublicAddrs []utils.NetAddr
|
2015-10-24 23:04:13 +00:00
|
|
|
}
|
|
|
|
|
2016-03-28 19:58:34 +00:00
|
|
|
// AuthConfig is a configuration of the auth server
|
2015-10-13 00:50:36 +00:00
|
|
|
type AuthConfig struct {
|
2015-10-24 23:04:13 +00:00
|
|
|
// Enabled turns auth role on or off for this process
|
2016-02-14 05:09:17 +00:00
|
|
|
Enabled bool
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2017-11-25 01:09:11 +00:00
|
|
|
// EnableProxyProtocol enables proxy protocol support
|
|
|
|
EnableProxyProtocol bool
|
|
|
|
|
2015-10-13 00:50:36 +00:00
|
|
|
// SSHAddr is the listening address of SSH tunnel to HTTP service
|
2016-02-14 05:09:17 +00:00
|
|
|
SSHAddr utils.NetAddr
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2016-03-28 19:58:34 +00:00
|
|
|
// Authorities is a set of trusted certificate authorities
|
|
|
|
// that will be added by this auth server on the first start
|
|
|
|
Authorities []services.CertAuthority
|
2015-10-13 00:50:36 +00:00
|
|
|
|
2016-12-30 22:47:52 +00:00
|
|
|
// Roles is a set of roles to pre-provision for this cluster
|
|
|
|
Roles []services.Role
|
|
|
|
|
2017-07-28 18:37:12 +00:00
|
|
|
// ClusterName is a name that identifies this authority and all
|
2016-03-12 04:09:40 +00:00
|
|
|
// host nodes in the cluster that will share this authority domain name
|
|
|
|
// as a base name, e.g. if authority domain name is example.com,
|
|
|
|
// all nodes in the cluster will have UUIDs in the form: <uuid>.example.com
|
2017-07-28 18:37:12 +00:00
|
|
|
ClusterName services.ClusterName
|
2016-03-12 04:09:40 +00:00
|
|
|
|
2016-05-12 07:44:25 +00:00
|
|
|
// StaticTokens are pre-defined host provisioning tokens supplied via config file for
|
|
|
|
// environments where paranoid security is not needed
|
2017-07-28 18:37:12 +00:00
|
|
|
StaticTokens services.StaticTokens
|
2016-05-12 07:44:25 +00:00
|
|
|
|
2017-03-01 01:38:31 +00:00
|
|
|
// StorageConfig contains configuration settings for the storage backend.
|
2017-01-16 00:27:19 +00:00
|
|
|
StorageConfig backend.Config
|
2015-12-02 18:51:32 +00:00
|
|
|
|
2016-02-14 05:09:17 +00:00
|
|
|
Limiter limiter.LimiterConfig
|
2016-09-06 05:12:57 +00:00
|
|
|
|
|
|
|
// NoAudit, when set to true, disables session recording and event audit
|
|
|
|
NoAudit bool
|
2016-10-14 06:51:16 +00:00
|
|
|
|
2017-02-14 02:29:27 +00:00
|
|
|
// Preference defines the authentication preference (type and second factor) for
|
|
|
|
// the auth server.
|
|
|
|
Preference services.AuthPreference
|
2017-11-22 01:35:58 +00:00
|
|
|
|
2017-11-29 00:15:46 +00:00
|
|
|
// ClusterConfig stores cluster level configuration.
|
|
|
|
ClusterConfig services.ClusterConfig
|
|
|
|
|
2017-11-22 01:35:58 +00:00
|
|
|
// LicenseFile is a full path to the license file
|
|
|
|
LicenseFile string
|
2018-05-02 22:45:31 +00:00
|
|
|
|
|
|
|
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
|
|
|
|
PublicAddrs []utils.NetAddr
|
2018-06-10 00:21:14 +00:00
|
|
|
|
2018-08-02 00:25:16 +00:00
|
|
|
// KubeCACertPath is a path to kubernetes CA certificate
|
2018-06-10 00:21:14 +00:00
|
|
|
KubeCACertPath string
|
2015-10-13 00:50:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// SSHConfig configures SSH server node role
|
|
|
|
type SSHConfig struct {
|
2017-05-26 19:28:46 +00:00
|
|
|
Enabled bool
|
|
|
|
Addr utils.NetAddr
|
|
|
|
Namespace string
|
|
|
|
Shell string
|
|
|
|
Limiter limiter.LimiterConfig
|
|
|
|
Labels map[string]string
|
|
|
|
CmdLabels services.CommandLabels
|
|
|
|
PermitUserEnvironment bool
|
2018-02-24 01:23:09 +00:00
|
|
|
|
|
|
|
// PAM holds PAM configuration for Teleport.
|
|
|
|
PAM *pam.Config
|
2018-05-02 22:45:31 +00:00
|
|
|
|
|
|
|
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
|
|
|
|
PublicAddrs []utils.NetAddr
|
2015-10-13 00:50:36 +00:00
|
|
|
}
|
|
|
|
|
2016-03-28 19:58:34 +00:00
|
|
|
// MakeDefaultConfig creates a new Config structure and populates it with defaults
|
2016-02-24 07:35:25 +00:00
|
|
|
func MakeDefaultConfig() (config *Config) {
|
2016-02-10 00:09:21 +00:00
|
|
|
config = &Config{}
|
2016-02-24 07:35:25 +00:00
|
|
|
ApplyDefaults(config)
|
|
|
|
return config
|
2016-02-10 00:09:21 +00:00
|
|
|
}
|
|
|
|
|
2016-02-17 19:58:28 +00:00
|
|
|
// ApplyDefaults applies default values to the existing config structure
|
2016-02-24 07:35:25 +00:00
|
|
|
func ApplyDefaults(cfg *Config) {
|
2018-05-08 20:30:37 +00:00
|
|
|
// Get defaults for Cipher, Kex algorithms, and MAC algorithms from
|
2017-06-10 02:32:31 +00:00
|
|
|
// golang.org/x/crypto/ssh default config.
|
|
|
|
var sc ssh.Config
|
|
|
|
sc.SetDefaults()
|
|
|
|
|
2018-05-08 20:30:37 +00:00
|
|
|
// Remove insecure and (borderline insecure) cryptographic primitives from
|
|
|
|
// default configuration. These can still be added back in file configuration by
|
|
|
|
// users, but not supported by default by Teleport. See #1856 for more
|
|
|
|
// details.
|
|
|
|
kex := utils.RemoveFromSlice(sc.KeyExchanges,
|
|
|
|
defaults.DiffieHellmanGroup1SHA1,
|
|
|
|
defaults.DiffieHellmanGroup14SHA1)
|
|
|
|
macs := utils.RemoveFromSlice(sc.MACs,
|
|
|
|
defaults.HMACSHA1,
|
|
|
|
defaults.HMACSHA196)
|
|
|
|
|
2016-02-10 00:09:21 +00:00
|
|
|
hostname, err := os.Hostname()
|
|
|
|
if err != nil {
|
2016-02-24 07:35:25 +00:00
|
|
|
hostname = "localhost"
|
2017-11-25 01:09:11 +00:00
|
|
|
log.Errorf("Failed to determine hostname: %v.", err)
|
2016-02-10 00:09:21 +00:00
|
|
|
}
|
|
|
|
|
2017-01-16 00:27:19 +00:00
|
|
|
// global defaults
|
|
|
|
cfg.Hostname = hostname
|
|
|
|
cfg.DataDir = defaults.DataDir
|
|
|
|
cfg.Console = os.Stdout
|
2018-06-08 23:50:43 +00:00
|
|
|
cfg.CipherSuites = utils.DefaultCipherSuites()
|
2017-06-10 02:32:31 +00:00
|
|
|
cfg.Ciphers = sc.Ciphers
|
2018-05-08 20:30:37 +00:00
|
|
|
cfg.KEXAlgorithms = kex
|
|
|
|
cfg.MACAlgorithms = macs
|
2017-01-16 00:27:19 +00:00
|
|
|
|
2016-02-10 00:09:21 +00:00
|
|
|
// defaults for the auth service:
|
|
|
|
cfg.Auth.Enabled = true
|
|
|
|
cfg.Auth.SSHAddr = *defaults.AuthListenAddr()
|
2018-05-03 17:58:22 +00:00
|
|
|
cfg.Auth.StorageConfig.Type = dir.GetName()
|
|
|
|
cfg.Auth.StorageConfig.Params = backend.Params{defaults.BackendPath: filepath.Join(cfg.DataDir, defaults.BackendDir)}
|
2017-10-11 19:09:06 +00:00
|
|
|
cfg.Auth.StaticTokens = services.DefaultStaticTokens()
|
2017-10-31 18:03:29 +00:00
|
|
|
cfg.Auth.ClusterConfig = services.DefaultClusterConfig()
|
2016-02-10 00:09:21 +00:00
|
|
|
defaults.ConfigureLimiter(&cfg.Auth.Limiter)
|
2017-02-24 20:08:23 +00:00
|
|
|
// set new style default auth preferences
|
|
|
|
ap := &services.AuthPreferenceV2{}
|
|
|
|
ap.CheckAndSetDefaults()
|
|
|
|
cfg.Auth.Preference = ap
|
2017-11-22 01:35:58 +00:00
|
|
|
cfg.Auth.LicenseFile = filepath.Join(cfg.DataDir, defaults.LicenseFile)
|
2016-02-10 00:09:21 +00:00
|
|
|
|
|
|
|
// defaults for the SSH proxy service:
|
|
|
|
cfg.Proxy.Enabled = true
|
|
|
|
cfg.Proxy.SSHAddr = *defaults.ProxyListenAddr()
|
|
|
|
cfg.Proxy.WebAddr = *defaults.ProxyWebListenAddr()
|
2016-02-10 02:52:39 +00:00
|
|
|
cfg.Proxy.ReverseTunnelListenAddr = *defaults.ReverseTunnellListenAddr()
|
2016-02-10 00:09:21 +00:00
|
|
|
defaults.ConfigureLimiter(&cfg.Proxy.Limiter)
|
|
|
|
|
2018-08-02 00:25:16 +00:00
|
|
|
// defaults for the Kubernetes proxy service
|
|
|
|
cfg.Proxy.Kube.Enabled = false
|
|
|
|
cfg.Proxy.Kube.ListenAddr = *defaults.KubeProxyListenAddr()
|
|
|
|
|
2016-02-10 00:09:21 +00:00
|
|
|
// defaults for the SSH service:
|
|
|
|
cfg.SSH.Enabled = true
|
|
|
|
cfg.SSH.Addr = *defaults.SSHServerListenAddr()
|
2016-02-16 21:18:58 +00:00
|
|
|
cfg.SSH.Shell = defaults.DefaultShell
|
2016-02-10 00:09:21 +00:00
|
|
|
defaults.ConfigureLimiter(&cfg.SSH.Limiter)
|
2018-02-24 01:23:09 +00:00
|
|
|
cfg.SSH.PAM = &pam.Config{Enabled: false}
|
2016-02-10 00:09:21 +00:00
|
|
|
}
|