teleport/constants.go

package teleport

import (
	"time"
)

// WebAPIVersion is a current webapi version
const WebAPIVersion = "v1"

// ForeverTTL means that object TTL will not expire unless deleted
const ForeverTTL time.Duration = 0

const (
	// SSHAuthSock is the environment variable pointing to the
	// Unix socket the SSH agent is running on.
	SSHAuthSock = "SSH_AUTH_SOCK"
	// SSHAgentPID is the environment variable pointing to the agent
	// process ID
	SSHAgentPID = "SSH_AGENT_PID"

	// SSHTeleportUser is the current Teleport user that is logged in.
	SSHTeleportUser = "SSH_TELEPORT_USER"

	// SSHSessionWebproxyAddr is the address the web proxy.
	SSHSessionWebproxyAddr = "SSH_SESSION_WEBPROXY_ADDR"

	// SSHTeleportClusterName is the name of the cluster this node belongs to.
	SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME"

	// SSHTeleportHostUUID is the UUID of the host.
	SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID"

	// SSHSessionID is the UUID of the current session.
	SSHSessionID = "SSH_SESSION_ID"
)

const (
	// HTTPSProxy is an environment variable pointing to a HTTPS proxy.
	HTTPSProxy = "HTTPS_PROXY"

	// HTTPProxy is an environment variable pointing to a HTTP proxy.
	HTTPProxy = "HTTP_PROXY"
)

const (
	// TOTPValidityPeriod is the number of seconds a TOTP token is valid.
	TOTPValidityPeriod uint = 30

	// TOTPSkew adds that many periods before and after to the validity window.
	TOTPSkew uint = 1
)

const (
	// Component indicates a component of teleport, used for logging
	Component = "component"

	// ComponentFields stores component-specific fields
	ComponentFields = "fields"

	// ComponentReverseTunnel is reverse tunnel agent and server
	// that together establish a bi-directional SSH revers tunnel
	// to bypass firewall restrictions
	ComponentReverseTunnel = "reversetunnel"

	// ComponentAuth is the cluster CA node (auth server API)
	ComponentAuth = "auth"

	// ComponentNode is SSH node (SSH server serving requests)
	ComponentNode = "node"

	// ComponentProxy is SSH proxy (SSH server forwarding connections)
	ComponentProxy = "proxy"

	// ComponentTunClient is a tunnel client
	ComponentTunClient = "tunclient"

	// DebugEnvVar tells tests to use verbose debug output
	DebugEnvVar = "DEBUG"

	// VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level)
	VerboseLogsEnvVar = "TELEPORT_DEBUG"

	// DefaultTerminalWidth defines the default width of a server-side allocated
	// pseudo TTY
	DefaultTerminalWidth = 80

	// DefaultTerminalHeight defines the default height of a server-side allocated
	// pseudo TTY
	DefaultTerminalHeight = 25

	// SafeTerminalType is the fall-back TTY type to fall back to (when $TERM
	// is not defined)
	SafeTerminalType = "xterm"

	// ConnectorOIDC means connector type OIDC
	ConnectorOIDC = "oidc"

	// ConnectorSAML means connector type SAML
	ConnectorSAML = "oidc"

	// DataDirParameterName is the name of the data dir configuration parameter passed
	// to all backends during initialization
	DataDirParameterName = "data_dir"

	// SSH request type to keep the connection alive. A client and a server keep
	// pining each other with it:
	KeepAliveReqType = "keepalive@openssh.com"

	// OTP means One-time Password Algorithm for Two-Factor Authentication.
	OTP = "otp"

	// TOTP means Time-based One-time Password Algorithm. for Two-Factor Authentication.
	TOTP = "totp"

	// HOTP means HMAC-based One-time Password Algorithm.for Two-Factor Authentication.
	HOTP = "hotp"

	// U2F means Universal 2nd Factor.for Two-Factor Authentication.
	U2F = "u2f"

	// OFF means no second factor.for Two-Factor Authentication.
	OFF = "off"

	// Local means authentication will happen locally within the Teleport cluster.
	Local = "local"

	// OIDC means authentication will happen remotly using an OIDC connector.
	OIDC = "oidc"

	// SAML means authentication will happen remotly using an SAML connector.
	SAML = "saml"
)

const (
	// AuthorizedKeys are public keys that check against User CAs.
	AuthorizedKeys = "authorized_keys"
	// KnownHosts are public keys that check against Host CAs.
	KnownHosts = "known_hosts"
)

const (
	// CertExtensionPermitAgentForwarding allows agent forwarding for certificate
	CertExtensionPermitAgentForwarding = "permit-agent-forwarding"
	// CertExtensionPermitPTY allows user to request PTY
	CertExtensionPermitPTY = "permit-pty"
	// CertExtensionPermitPortForwarding allows user to request port forwarding
	CertExtensionPermitPortForwarding = "permit-port-forwarding"
	// CertExtensionTeleportRoles is used to propagate teleport roles
	CertExtensionTeleportRoles = "teleport-roles"
)

const (
	// NetIQ is an identity provider.
	NetIQ = "netiq"
	// ADFS is Microsoft Active Directory Federation Services
	ADFS = "adfs"
)

const (
	// RemoteCommandSuccess is returned when a command has successfully executed.
	RemoteCommandSuccess = 0
	// RemoteCommandFailure is returned when a command has failed to execute and
	// we don't have another status code for it.
	RemoteCommandFailure = 255
)

// MaxEnvironmentFileLines is the maximum number of lines in a environment file.
const MaxEnvironmentFileLines = 1000

const (
	// CompatibilityOldSSH is used to make Teleport interoperate with older
	// versions of OpenSSH.
	CompatibilityOldSSH = "oldssh"

	// CompatibilityNone is used for normal Teleport operation without any
	// compatibility modes.
	CompatibilityNone = ""
)

const (
	// TraitInternalPrefix is the role variable prefix that indicates it's for
	// local accounts.
	TraitInternalPrefix = "internal"

	// TraitLogins is the name the role variable used to store
	// allowed logins.
	TraitLogins = "logins"

	// TraitInternalRoleVariable is the role variable used to store allowed
	// logins for local accounts.
	TraitInternalRoleVariable = "{{internal.logins}}"
)

// NewDefaultRole is the name of the default role for all local users if
// another role is not explicitly assigned (Enterprise only).
const DefaultRoleName = "default"
user mappings should be deleted if user is deleted, fixes #116 This commit includes refactoring and cleanup of cert authority sybsystem: * User keys methods are deleted * Authorities CRUD is simplified * Lots of code removed 2016-02-16 17:36:02 +00:00			`package teleport`

			`import (`
			`"time"`
			`)`

Added TrustedCluster resource. 2017-03-02 19:50:35 +00:00			`// WebAPIVersion is a current webapi version`
			`const WebAPIVersion = "v1"`

user mappings should be deleted if user is deleted, fixes #116 This commit includes refactoring and cleanup of cert authority sybsystem: * User keys methods are deleted * Authorities CRUD is simplified * Lots of code removed 2016-02-16 17:36:02 +00:00			`// ForeverTTL means that object TTL will not expire unless deleted`
recover etcd backend support 2016-03-11 01:03:01 +00:00			`const ForeverTTL time.Duration = 0`

working proto 2017-03-08 05:42:17 +00:00			`const (`
			`// SSHAuthSock is the environment variable pointing to the`
			`// Unix socket the SSH agent is running on.`
			`SSHAuthSock = "SSH_AUTH_SOCK"`
			`// SSHAgentPID is the environment variable pointing to the agent`
			`// process ID`
			`SSHAgentPID = "SSH_AGENT_PID"`
Corrected the Session URL returned when calling "teleport status". 2017-04-07 00:16:28 +00:00
			`// SSHTeleportUser is the current Teleport user that is logged in.`
			`SSHTeleportUser = "SSH_TELEPORT_USER"`

			`// SSHSessionWebproxyAddr is the address the web proxy.`
			`SSHSessionWebproxyAddr = "SSH_SESSION_WEBPROXY_ADDR"`

			`// SSHTeleportClusterName is the name of the cluster this node belongs to.`
			`SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME"`

			`// SSHTeleportHostUUID is the UUID of the host.`
			`SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID"`

			`// SSHSessionID is the UUID of the current session.`
			`SSHSessionID = "SSH_SESSION_ID"`
working proto 2017-03-08 05:42:17 +00:00			`)`
Added debug ssh agent to be used in tests so they can run consistently across platforms. 2017-02-13 23:37:08 +00:00
Added HTTP CONNECT tunneling support for Trusted Clusters. 2017-05-17 00:43:55 +00:00			`const (`
			`// HTTPSProxy is an environment variable pointing to a HTTPS proxy.`
			`HTTPSProxy = "HTTPS_PROXY"`

			`// HTTPProxy is an environment variable pointing to a HTTP proxy.`
			`HTTPProxy = "HTTP_PROXY"`
			`)`

Use a fake clock in OTP tests. 2017-02-10 22:46:26 +00:00			`const (`
Added debug ssh agent to be used in tests so they can run consistently across platforms. 2017-02-13 23:37:08 +00:00			`// TOTPValidityPeriod is the number of seconds a TOTP token is valid.`
			`TOTPValidityPeriod uint = 30`

			`// TOTPSkew adds that many periods before and after to the validity window.`
			`TOTPSkew uint = 1`
Use a fake clock in OTP tests. 2017-02-10 22:46:26 +00:00			`)`

recover etcd backend support 2016-03-11 01:03:01 +00:00			`const (`
Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests 2016-03-16 02:57:02 +00:00			`// Component indicates a component of teleport, used for logging`
			`Component = "component"`

			`// ComponentFields stores component-specific fields`
			`ComponentFields = "fields"`

			`// ComponentReverseTunnel is reverse tunnel agent and server`
			`// that together establish a bi-directional SSH revers tunnel`
			`// to bypass firewall restrictions`
			`ComponentReverseTunnel = "reversetunnel"`

Cleaned up Teleport logging * Downgraded many messages from `Debug` to `Info` * Edited messages so they're not verbose and not too short * Added "context" to some * Added logical teleport component as [COMPONENT] at the beginning of many, making logs vastly easier to read. * Added one more logging level option when creating Teleport (only Teleconsole uses it for now) The output with 'info' severity now look extremely clean. This is startup, for example: ``` INFO[0000] [AUTH] Auth service is starting on turing:32829 file=utils/cli.go:107 INFO[0000] [SSH:auth] listening socket: 127.0.0.1:32829 file=sshutils/server.go:119 INFO[0000] [SSH:auth] is listening on 127.0.0.1:32829 file=sshutils/server.go:144 INFO[0000] [Proxy] Successfully registered with the cluster file=utils/cli.go:107 INFO[0000] [Node] Successfully registered with the cluster file=utils/cli.go:107 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56886->127.0.0.1:32829, user=turing file=auth/tun.go:370 WARN[0000] unable to load the auth server cache: open /tmp/cluster-teleconsole-client781495771/authservers.json: no such file or directory file=auth/tun.go:594 INFO[0000] [SSH:auth] new connection 127.0.0.1:56886 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56888->127.0.0.1:32829, user=turing.teleconsole-client file=auth/tun.go:370 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56890->127.0.0.1:32829, user=turing.teleconsole-client file=auth/tun.go:370 INFO[0000] [Node] turing connected to the cluster 'teleconsole-client' file=service/service.go:158 INFO[0000] [AUTH] keyAuth: 127.0.0.1:56892->127.0.0.1:32829, user=turing file=auth/tun.go:370 INFO[0000] [SSH:auth] new connection 127.0.0.1:56890 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205 INFO[0000] [SSH:auth] new connection 127.0.0.1:56888 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205 INFO[0000] [Node] turing.teleconsole-client connected to the cluster 'teleconsole-client' file=service/service.go:158 INFO[0000] [Node] turing.teleconsole-client connected to the cluster 'teleconsole-client' file=service/service.go:158 INFO[0000] [SSH] received event(SSHIdentity) file=service/service.go:436 INFO[0000] [SSH] received event(ProxyIdentity) file=service/service.go:563 ``` You can easily tell that auth, ssh node and proxy have successfully started. 2016-09-02 23:04:05 +00:00			`// ComponentAuth is the cluster CA node (auth server API)`
			`ComponentAuth = "auth"`

Minor code cleanup - Replaced hard-coded timeouts with pre-existing teleport.DefaultTimeout constant. - Fixed tests 2016-03-16 02:57:02 +00:00			`// ComponentNode is SSH node (SSH server serving requests)`
			`ComponentNode = "node"`

			`// ComponentProxy is SSH proxy (SSH server forwarding connections)`
			`ComponentProxy = "proxy"`

			`// ComponentTunClient is a tunnel client`
			`ComponentTunClient = "tunclient"`

Addressed PR comments - Comments - Error creation - Moved from Mailgun's frozen time to clockwork - Made tests more reliable 2016-12-26 06:12:23 +00:00			`// DebugEnvVar tells tests to use verbose debug output`
			`DebugEnvVar = "DEBUG"`

			`// VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level)`
			`VerboseLogsEnvVar = "TELEPORT_DEBUG"`
Proper handling of attached/detached terminals Also Teleport now will try to get the type of terminal you're already on, looking at $TERM 2016-09-10 04:44:04 +00:00
			`// DefaultTerminalWidth defines the default width of a server-side allocated`
			`// pseudo TTY`
			`DefaultTerminalWidth = 80`

			`// DefaultTerminalHeight defines the default height of a server-side allocated`
			`// pseudo TTY`
			`DefaultTerminalHeight = 25`

			`// SafeTerminalType is the fall-back TTY type to fall back to (when $TERM`
			`// is not defined)`
			`SafeTerminalType = "xterm"`
map OIDC scopes to roles, implements #620 2016-12-24 03:02:59 +00:00
			`// ConnectorOIDC means connector type OIDC`
			`ConnectorOIDC = "oidc"`
Converted boltbk to the new format BoltDB backend is now compatible with how all backends should initialize. Also all BoltDB-specific code/constants have been consolidated inside of `backend.boltbk` package. 2017-01-13 00:04:00 +00:00
SAML 2.0 initial implementation 2017-05-05 22:53:05 +00:00			`// ConnectorSAML means connector type SAML`
			`ConnectorSAML = "oidc"`

Converted boltbk to the new format BoltDB backend is now compatible with how all backends should initialize. Also all BoltDB-specific code/constants have been consolidated inside of `backend.boltbk` package. 2017-01-13 00:04:00 +00:00			`// DataDirParameterName is the name of the data dir configuration parameter passed`
			`// to all backends during initialization`
			`DataDirParameterName = "data_dir"`
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens. 2017-01-17 19:24:17 +00:00
SSH keepalive implementation + refactoring The base SSH server implementation now sends SSH keepalive at ta rate of 1/4 of "idle timeout" constant. The client properly responds to keepalive pings. The SSH client, instead of creating 2 goroutines for handling SSH requests and SSH channels now uses the same (existing) goroutine with for-loop + select statement. 2017-01-30 19:31:37 +00:00			`// SSH request type to keep the connection alive. A client and a server keep`
			`// pining each other with it:`
			`KeepAliveReqType = "keepalive@openssh.com"`

Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation. 2017-02-14 02:29:27 +00:00			`// OTP means One-time Password Algorithm for Two-Factor Authentication.`
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens. 2017-01-17 19:24:17 +00:00			`OTP = "otp"`

Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation. 2017-02-14 02:29:27 +00:00			`// TOTP means Time-based One-time Password Algorithm. for Two-Factor Authentication.`
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens. 2017-01-17 19:24:17 +00:00			`TOTP = "totp"`

Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation. 2017-02-14 02:29:27 +00:00			`// HOTP means HMAC-based One-time Password Algorithm.for Two-Factor Authentication.`
Two fixes in one commit Fix one: Fixed typo in defining `teleport.HOTP` constant. This fixes bug #721 Fix two: Removes 'drop tunnel connection' logic on any tunnel-related error. This fixes 2nd problem "Handling Unreachable nodes" for issue #717 (see klizhentas comment there) 2017-01-23 03:55:54 +00:00			`HOTP = "hotp"`
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens. 2017-01-17 19:24:17 +00:00
Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation. 2017-02-14 02:29:27 +00:00			`// U2F means Universal 2nd Factor.for Two-Factor Authentication.`
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens. 2017-01-17 19:24:17 +00:00			`U2F = "u2f"`

Refactored authentication configuration, created resources for dynamic configuration of authentication configuration, and updated documentation. 2017-02-14 02:29:27 +00:00			`// OFF means no second factor.for Two-Factor Authentication.`
			`OFF = "off"`

			`// Local means authentication will happen locally within the Teleport cluster.`
			`Local = "local"`

			`// OIDC means authentication will happen remotly using an OIDC connector.`
Added TOTP support and deprecated HOTP support. New users are created with TOTP as the second factor, but HOTP backward compatibility is maintained by allowing users created before this commit to continue to log in with HOTP tokens. 2017-01-17 19:24:17 +00:00			`OIDC = "oidc"`
SAML 2.0 initial implementation 2017-05-05 22:53:05 +00:00
			`// SAML means authentication will happen remotly using an SAML connector.`
			`SAML = "saml"`
add support for TELEPORT_DEBUG_TESTS environment variable turning on verbose testing 2016-03-14 21:07:45 +00:00			`)`
add optional agent forward cert extension 2017-03-21 20:56:05 +00:00
Fixed User CA export and parsing and added --compat=1.0 flag to tctl. 2017-04-05 21:43:42 +00:00			`const (`
			`// AuthorizedKeys are public keys that check against User CAs.`
			`AuthorizedKeys = "authorized_keys"`
			`// KnownHosts are public keys that check against Host CAs.`
			`KnownHosts = "known_hosts"`
			`)`

add optional agent forward cert extension 2017-03-21 20:56:05 +00:00			`const (`
			`// CertExtensionPermitAgentForwarding allows agent forwarding for certificate`
			`CertExtensionPermitAgentForwarding = "permit-agent-forwarding"`
			`// CertExtensionPermitPTY allows user to request PTY`
			`CertExtensionPermitPTY = "permit-pty"`
			`// CertExtensionPermitPortForwarding allows user to request port forwarding`
			`CertExtensionPermitPortForwarding = "permit-port-forwarding"`
work on trust 2017-05-17 17:36:25 +00:00			`// CertExtensionTeleportRoles is used to propagate teleport roles`
			`CertExtensionTeleportRoles = "teleport-roles"`
add optional agent forward cert extension 2017-03-21 20:56:05 +00:00			`)`
Added support for ACR values for OIDC connectors. 2017-04-13 00:04:51 +00:00
			`const (`
			`// NetIQ is an identity provider.`
			`NetIQ = "netiq"`
SAML 2.0 and AD FS integration. 2017-05-12 19:14:44 +00:00			`// ADFS is Microsoft Active Directory Federation Services`
			`ADFS = "adfs"`
Added support for ACR values for OIDC connectors. 2017-04-13 00:04:51 +00:00			`)`
Patch for TLP-01-006 and TLP-01-007: Validate Session ID. 2017-04-25 21:57:48 +00:00
			`const (`
			`// RemoteCommandSuccess is returned when a command has successfully executed.`
			`RemoteCommandSuccess = 0`
			`// RemoteCommandFailure is returned when a command has failed to execute and`
			`// we don't have another status code for it.`
			`RemoteCommandFailure = 255`
			`)`
Added support for allowing the reading of a users environment when creating a new child session from ~/.tsh/environment. 2017-05-26 19:28:46 +00:00
			`// MaxEnvironmentFileLines is the maximum number of lines in a environment file.`
			`const MaxEnvironmentFileLines = 1000`
Added --compat=oldssh flag to generate user certificates without roles. 2017-06-20 00:20:21 +00:00
			`const (`
			`// CompatibilityOldSSH is used to make Teleport interoperate with older`
			`// versions of OpenSSH.`
			`CompatibilityOldSSH = "oldssh"`

			`// CompatibilityNone is used for normal Teleport operation without any`
			`// compatibility modes.`
			`CompatibilityNone = ""`
			`)`
Added support for default roles. 2017-07-24 22:18:46 +00:00
			`const (`
			`// TraitInternalPrefix is the role variable prefix that indicates it's for`
			`// local accounts.`
			`TraitInternalPrefix = "internal"`

			`// TraitLogins is the name the role variable used to store`
			`// allowed logins.`
			`TraitLogins = "logins"`

			`// TraitInternalRoleVariable is the role variable used to store allowed`
			`// logins for local accounts.`
			`TraitInternalRoleVariable = "{{internal.logins}}"`
			`)`

			`// NewDefaultRole is the name of the default role for all local users if`
			`// another role is not explicitly assigned (Enterprise only).`
			`const DefaultRoleName = "default"`