2015-10-31 18:56:49 +00:00
/ *
2021-03-02 03:47:03 +00:00
Copyright 2015 - 2021 Gravitational , Inc .
2015-10-31 18:56:49 +00:00
Licensed under the Apache License , Version 2.0 ( the "License" ) ;
you may not use this file except in compliance with the License .
You may obtain a copy of the License at
http : //www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing , software
distributed under the License is distributed on an "AS IS" BASIS ,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND , either express or implied .
See the License for the specific language governing permissions and
limitations under the License .
* /
2016-03-12 04:09:40 +00:00
2015-10-13 00:50:36 +00:00
package service
import (
2017-04-07 23:51:31 +00:00
"fmt"
2016-03-11 01:03:01 +00:00
"io"
2020-10-19 17:28:10 +00:00
"net"
2021-05-06 18:24:49 +00:00
"net/http"
2020-10-19 17:28:10 +00:00
"net/url"
2016-02-10 00:09:21 +00:00
"os"
2017-11-22 01:35:58 +00:00
"path/filepath"
2020-10-19 17:28:10 +00:00
"strconv"
2021-05-06 18:24:49 +00:00
"strings"
2017-04-07 23:51:31 +00:00
"time"
2016-02-09 21:46:34 +00:00
2017-06-10 02:32:31 +00:00
"golang.org/x/crypto/ssh"
2021-05-06 18:24:49 +00:00
"golang.org/x/net/http/httpguts"
2020-11-17 05:03:26 +00:00
"k8s.io/apimachinery/pkg/util/validation"
2017-06-10 02:32:31 +00:00
2021-05-07 11:54:08 +00:00
"github.com/gravitational/teleport/api/types"
2021-06-08 19:08:55 +00:00
apiutils "github.com/gravitational/teleport/api/utils"
2016-03-28 19:58:34 +00:00
"github.com/gravitational/teleport/lib/auth"
2016-12-27 02:50:59 +00:00
"github.com/gravitational/teleport/lib/backend"
2019-07-02 21:35:17 +00:00
"github.com/gravitational/teleport/lib/backend/lite"
2020-02-02 19:36:53 +00:00
"github.com/gravitational/teleport/lib/backend/memory"
2019-11-16 00:39:40 +00:00
"github.com/gravitational/teleport/lib/bpf"
2016-02-10 00:09:21 +00:00
"github.com/gravitational/teleport/lib/defaults"
2018-03-04 02:26:44 +00:00
"github.com/gravitational/teleport/lib/events"
2015-12-03 09:26:34 +00:00
"github.com/gravitational/teleport/lib/limiter"
2018-02-24 01:23:09 +00:00
"github.com/gravitational/teleport/lib/pam"
2021-03-02 03:47:03 +00:00
"github.com/gravitational/teleport/lib/plugin"
2015-10-25 23:13:12 +00:00
"github.com/gravitational/teleport/lib/services"
2021-05-06 18:24:49 +00:00
"github.com/gravitational/teleport/lib/srv/app"
2017-11-25 01:09:11 +00:00
"github.com/gravitational/teleport/lib/sshca"
2021-01-15 02:21:38 +00:00
"github.com/gravitational/teleport/lib/tlsca"
2015-10-25 23:13:12 +00:00
"github.com/gravitational/teleport/lib/utils"
2017-08-28 18:42:14 +00:00
"github.com/ghodss/yaml"
2019-07-17 19:51:18 +00:00
"github.com/gravitational/trace"
2018-10-26 22:20:02 +00:00
"github.com/jonboulle/clockwork"
2015-10-13 00:50:36 +00:00
)
2019-10-22 18:10:28 +00:00
// Config structure is used to initialize _all_ services Teleport can run.
2017-11-25 01:09:11 +00:00
// Some settings are global (like DataDir) while others are grouped into
2016-02-14 05:09:17 +00:00
// sections, like AuthConfig
2015-10-13 00:50:36 +00:00
type Config struct {
2016-03-28 19:58:34 +00:00
// DataDir provides directory where teleport stores it's permanent state
// (in case of auth server backed by BoltDB) or local state, e.g. keys
DataDir string
// Hostname is a node host name
2016-02-14 05:09:17 +00:00
Hostname string
2015-10-13 00:50:36 +00:00
2016-05-12 07:44:25 +00:00
// Token is used to register this Teleport instance with the auth server
Token string
2020-04-22 20:58:38 +00:00
// AuthServers is a list of auth servers, proxies and peer auth servers to
// connect to. Yes, this is not just auth servers, the field name is
// misleading.
2016-03-28 19:58:34 +00:00
AuthServers [ ] utils . NetAddr
// Identities is an optional list of pre-generated key pairs
// for teleport roles, this is helpful when server is preconfigured
Identities [ ] * auth . Identity
2015-10-13 00:50:36 +00:00
2018-05-02 22:45:31 +00:00
// AdvertiseIP is used to "publish" an alternative IP address or hostname this node
2016-03-12 04:09:40 +00:00
// can be reached on, if running behind NAT
2018-05-02 22:45:31 +00:00
AdvertiseIP string
2016-03-12 04:09:40 +00:00
2017-04-07 23:51:31 +00:00
// CachePolicy sets caching policy for nodes and proxies
// in case if they loose connection to auth servers
CachePolicy CachePolicy
2020-10-19 00:09:29 +00:00
// Auth service configuration. Manages cluster state and configuration.
Auth AuthConfig
// Proxy service configuration. Manages incoming and outbound
// connections to the cluster.
Proxy ProxyConfig
// SSH service configuration. Manages SSH servers running within the cluster.
2016-02-14 05:09:17 +00:00
SSH SSHConfig
2015-10-24 23:04:13 +00:00
2020-10-19 00:09:29 +00:00
// App service configuration. Manages applications running within the cluster.
Apps AppsConfig
2015-10-24 23:04:13 +00:00
2021-01-15 02:21:38 +00:00
// Databases defines database proxy service configuration.
Databases DatabasesConfig
2016-04-10 09:44:40 +00:00
// Keygen points to a key generator implementation
2017-11-25 01:09:11 +00:00
Keygen sshca . Authority
2016-04-10 09:44:40 +00:00
2016-03-28 19:58:34 +00:00
// HostUUID is a unique UUID of this host (it will be known via this UUID within
2016-03-04 02:02:48 +00:00
// a teleport cluster). It's automatically generated on 1st start
HostUUID string
2016-02-08 22:51:22 +00:00
// Console writer to speak to a user
Console io . Writer
2016-03-28 19:58:34 +00:00
// ReverseTunnels is a list of reverse tunnels to create on the
// first cluster start
2021-06-04 20:29:31 +00:00
ReverseTunnels [ ] types . ReverseTunnel
2016-04-02 00:58:41 +00:00
2016-04-03 05:20:51 +00:00
// OIDCConnectors is a list of trusted OpenID Connect identity providers
2021-06-04 20:29:31 +00:00
OIDCConnectors [ ] types . OIDCConnector
2016-04-03 05:20:51 +00:00
2016-04-02 00:58:41 +00:00
// PidFile is a full path of the PID file for teleport daemon
2016-04-02 01:03:57 +00:00
PIDFile string
2016-04-05 00:26:15 +00:00
// Trust is a service that manages users and credentials
Trust services . Trust
// Presence service is a discovery and hearbeat tracker
Presence services . Presence
Events and GRPC API
This commit introduces several key changes to
Teleport backend and API infrastructure
in order to achieve scalability improvements
on 10K+ node deployments.
Events and plain keyspace
--------------------------
New backend interface supports events,
pagination and range queries
and moves away from buckets to
plain keyspace, what better aligns
with DynamoDB and Etcd featuring similar
interfaces.
All backend implementations are
exposing Events API, allowing
multiple subscribers to consume the same
event stream and avoid polling database.
Replacing BoltDB, Dir with SQLite
-------------------------------
BoltDB backend does not support
having two processes access the database at the
same time. This prevented Teleport
using BoltDB backend to be live reloaded.
SQLite supports reads/writes by multiple
processes and makes Dir backend obsolete
as SQLite is more efficient on larger collections,
supports transactions and can detect data
corruption.
Teleport automatically migrates data from
Bolt and Dir backends into SQLite.
GRPC API and protobuf resources
-------------------------------
GRPC API has been introduced for
the auth server. The auth server now serves both GRPC
and JSON-HTTP API on the same TLS socket and uses
the same client certificate authentication.
All future API methods should use GRPC and HTTP-JSON
API is considered obsolete.
In addition to that some resources like
Server and CertificateAuthority are now
generated from protobuf service specifications in
a way that is fully backward compatible with
original JSON spec and schema, so the same resource
can be encoded and decoded from JSON, YAML
and protobuf.
All models should be refactored
into new proto specification over time.
Streaming presence service
--------------------------
In order to cut bandwidth, nodes
are sending full updates only when changes
to labels or spec have occured, otherwise
new light-weight GRPC keep alive updates are sent
over to the presence service, reducing
bandwidth usage on multi-node deployments.
In addition to that nodes are no longer polling
auth server for certificate authority rotation
updates, instead they subscribe to event updates
to detect updates as soon as they happen.
This is a new API, so the errors are inevitable,
that's why polling is still done, but
on a way slower rate.
2018-11-07 23:33:38 +00:00
// Events is events service
2021-06-04 20:29:31 +00:00
Events types . Events
Events and GRPC API
This commit introduces several key changes to
Teleport backend and API infrastructure
in order to achieve scalability improvements
on 10K+ node deployments.
Events and plain keyspace
--------------------------
New backend interface supports events,
pagination and range queries
and moves away from buckets to
plain keyspace, what better aligns
with DynamoDB and Etcd featuring similar
interfaces.
All backend implementations are
exposing Events API, allowing
multiple subscribers to consume the same
event stream and avoid polling database.
Replacing BoltDB, Dir with SQLite
-------------------------------
BoltDB backend does not support
having two processes access the database at the
same time. This prevented Teleport
using BoltDB backend to be live reloaded.
SQLite supports reads/writes by multiple
processes and makes Dir backend obsolete
as SQLite is more efficient on larger collections,
supports transactions and can detect data
corruption.
Teleport automatically migrates data from
Bolt and Dir backends into SQLite.
GRPC API and protobuf resources
-------------------------------
GRPC API has been introduced for
the auth server. The auth server now serves both GRPC
and JSON-HTTP API on the same TLS socket and uses
the same client certificate authentication.
All future API methods should use GRPC and HTTP-JSON
API is considered obsolete.
In addition to that some resources like
Server and CertificateAuthority are now
generated from protobuf service specifications in
a way that is fully backward compatible with
original JSON spec and schema, so the same resource
can be encoded and decoded from JSON, YAML
and protobuf.
All models should be refactored
into new proto specification over time.
Streaming presence service
--------------------------
In order to cut bandwidth, nodes
are sending full updates only when changes
to labels or spec have occured, otherwise
new light-weight GRPC keep alive updates are sent
over to the presence service, reducing
bandwidth usage on multi-node deployments.
In addition to that nodes are no longer polling
auth server for certificate authority rotation
updates, instead they subscribe to event updates
to detect updates as soon as they happen.
This is a new API, so the errors are inevitable,
that's why polling is still done, but
on a way slower rate.
2018-11-07 23:33:38 +00:00
2016-04-05 00:26:15 +00:00
// Provisioner is a service that keeps track of provisioning tokens
Provisioner services . Provisioner
// Trust is a service that manages users and credentials
Identity services . Identity
2016-06-17 06:50:12 +00:00
2016-12-14 23:48:36 +00:00
// Access is a service that controls access
Access services . Access
2017-06-10 02:32:31 +00:00
2018-01-20 19:25:31 +00:00
// ClusterConfiguration is a service that provides cluster configuration
ClusterConfiguration services . ClusterConfiguration
2018-06-08 23:50:43 +00:00
// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
// omitted, a Teleport selected list of defaults will be used.
CipherSuites [ ] uint16
// Ciphers is a list of SSH ciphers that the server supports. If omitted,
2017-06-10 02:32:31 +00:00
// the defaults will be used.
Ciphers [ ] string
2018-06-08 23:50:43 +00:00
// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
2017-06-10 02:32:31 +00:00
// server supports. If omitted, the defaults will be used.
KEXAlgorithms [ ] string
2018-06-08 23:50:43 +00:00
// MACAlgorithms is a list of SSH message authentication codes (MAC) that
2017-06-10 02:32:31 +00:00
// the server supports. If omitted the defaults will be used.
MACAlgorithms [ ] string
2018-02-08 02:32:50 +00:00
2020-06-04 23:03:38 +00:00
// CASignatureAlgorithm is an SSH Certificate Authority (CA) signature
// algorithm that the server uses for signing user and host certificates.
// If omitted, the default will be used.
2020-06-11 23:32:55 +00:00
CASignatureAlgorithm * string
2020-06-04 23:03:38 +00:00
2018-02-08 02:32:50 +00:00
// DiagnosticAddr is an address for diagnostic and healthz endpoint service
DiagnosticAddr utils . NetAddr
2018-02-17 23:51:57 +00:00
// Debug sets debugging mode, results in diagnostic address
// endpoint extended with additional /debug handlers
Debug bool
2018-03-04 02:26:44 +00:00
// UploadEventsC is a channel for upload events
// used in tests
2020-07-15 00:15:01 +00:00
UploadEventsC chan events . UploadEvent ` json:"-" `
2018-04-08 21:37:33 +00:00
// FileDescriptors is an optional list of file descriptors for the process
// to inherit and use for listeners, used for in-process updates.
FileDescriptors [ ] FileDescriptor
// PollingPeriod is set to override default internal polling periods
// of sync agents, used to speed up integration tests.
PollingPeriod time . Duration
// ClientTimeout is set to override default client timeouts
// used by internal clients, used to speed up integration tests.
ClientTimeout time . Duration
// ShutdownTimeout is set to override default shutdown timeout.
ShutdownTimeout time . Duration
2018-10-03 19:35:57 +00:00
// CAPin is the SKPI hash of the CA used to verify the Auth Server.
CAPin string
2018-10-26 22:20:02 +00:00
// Clock is used to control time in tests.
Clock clockwork . Clock
2019-03-12 22:30:44 +00:00
// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
FIPS bool
2019-11-16 00:39:40 +00:00
// BPFConfig holds configuration for the BPF service.
BPFConfig * bpf . Config
2020-10-19 17:28:10 +00:00
// Kube is a Kubernetes API gateway using Teleport client identities.
Kube KubeConfig
2020-12-07 14:35:15 +00:00
// Log optionally specifies the logger
Log utils . Logger
2021-03-02 03:47:03 +00:00
// PluginRegistry allows adding enterprise logic to Teleport services
PluginRegistry plugin . Registry
2015-10-13 00:50:36 +00:00
}
2016-02-17 02:19:21 +00:00
// ApplyToken assigns a given token to all internal services but only if token
// is not an empty string.
//
2019-07-17 19:51:18 +00:00
// returns:
// true, nil if the token has been modified
// false, nil if the token has not been modified
// false, err if there was an error
func ( cfg * Config ) ApplyToken ( token string ) ( bool , error ) {
2016-02-17 02:19:21 +00:00
if token != "" {
2019-07-17 19:51:18 +00:00
var err error
cfg . Token , err = utils . ReadToken ( token )
if err != nil {
return false , trace . Wrap ( err )
}
return true , nil
2016-02-17 02:19:21 +00:00
}
2019-07-17 19:51:18 +00:00
return false , nil
2016-02-17 02:19:21 +00:00
}
2016-03-11 01:03:01 +00:00
// RoleConfig is a config for particular Teleport role
2015-10-27 00:58:39 +00:00
func ( cfg * Config ) RoleConfig ( ) RoleConfig {
return RoleConfig {
DataDir : cfg . DataDir ,
2016-03-05 00:27:52 +00:00
HostUUID : cfg . HostUUID ,
2016-03-06 00:47:03 +00:00
HostName : cfg . Hostname ,
2015-10-27 00:58:39 +00:00
AuthServers : cfg . AuthServers ,
Auth : cfg . Auth ,
2016-02-08 22:51:22 +00:00
Console : cfg . Console ,
2015-10-27 00:58:39 +00:00
}
}
2016-03-11 01:03:01 +00:00
// DebugDumpToYAML is useful for debugging: it dumps the Config structure into
2016-02-09 04:55:13 +00:00
// a string
func ( cfg * Config ) DebugDumpToYAML ( ) string {
2016-03-28 19:58:34 +00:00
shallow := * cfg
// do not copy sensitive data to stdout
shallow . Identities = nil
shallow . Auth . Authorities = nil
out , err := yaml . Marshal ( shallow )
2016-02-09 04:55:13 +00:00
if err != nil {
return err . Error ( )
}
return string ( out )
}
2017-04-07 23:51:31 +00:00
// CachePolicy sets caching policy for proxies and nodes
type CachePolicy struct {
2020-02-02 19:36:53 +00:00
// Type sets the cache type
Type string
2017-04-07 23:51:31 +00:00
// Enabled enables or disables caching
Enabled bool
// TTL sets maximum TTL for the cached values
// without explicit TTL set
TTL time . Duration
// NeverExpires means that cache values without TTL
// set by the auth server won't expire
NeverExpires bool
2018-01-30 23:54:37 +00:00
// RecentTTL is the recently accessed items cache TTL
RecentTTL * time . Duration
}
// GetRecentTTL either returns TTL that was set,
// or default recent TTL value
func ( c * CachePolicy ) GetRecentTTL ( ) time . Duration {
if c . RecentTTL == nil {
return defaults . RecentCacheTTL
}
return * c . RecentTTL
2017-04-07 23:51:31 +00:00
}
2020-02-02 19:36:53 +00:00
// CheckAndSetDefaults checks and sets default values
func ( c * CachePolicy ) CheckAndSetDefaults ( ) error {
switch c . Type {
case "" , lite . GetName ( ) :
c . Type = lite . GetName ( )
case memory . GetName ( ) :
default :
return trace . BadParameter ( "unsupported cache type %q, supported values are %q and %q" ,
c . Type , lite . GetName ( ) , memory . GetName ( ) )
}
return nil
}
2017-04-07 23:51:31 +00:00
// String returns human-friendly representation of the policy
func ( c CachePolicy ) String ( ) string {
if ! c . Enabled {
return "no cache policy"
}
2018-01-30 23:54:37 +00:00
recentCachePolicy := ""
if c . GetRecentTTL ( ) == 0 {
recentCachePolicy = "will not cache frequently accessed items"
} else {
recentCachePolicy = fmt . Sprintf ( "will cache frequently accessed items for %v" , c . GetRecentTTL ( ) )
}
2017-04-07 23:51:31 +00:00
if c . NeverExpires {
2020-02-02 19:36:53 +00:00
return fmt . Sprintf ( "%v cache that will not expire in case if connection to database is lost, %v" , c . Type , recentCachePolicy )
2017-04-07 23:51:31 +00:00
}
if c . TTL == 0 {
2020-02-02 19:36:53 +00:00
return fmt . Sprintf ( "%v cache that will expire after connection to database is lost after %v, %v" , c . Type , defaults . CacheTTL , recentCachePolicy )
2017-04-07 23:51:31 +00:00
}
2020-02-02 19:36:53 +00:00
return fmt . Sprintf ( "%v cache that will expire after connection to database is lost after %v, %v" , c . Type , c . TTL , recentCachePolicy )
2017-04-07 23:51:31 +00:00
}
2018-08-02 00:25:16 +00:00
// ProxyConfig specifies configuration for proxy service
2015-10-24 23:04:13 +00:00
type ProxyConfig struct {
// Enabled turns proxy role on or off for this process
2016-02-14 05:09:17 +00:00
Enabled bool
2015-10-24 23:04:13 +00:00
2021-06-04 19:16:05 +00:00
//DisableTLS is enabled if we don't want self-signed certs
2017-10-29 10:50:29 +00:00
DisableTLS bool
2017-05-20 19:52:03 +00:00
// DisableWebInterface allows to turn off serving the Web UI interface
DisableWebInterface bool
// DisableWebService turnes off serving web service completely, including web UI
DisableWebService bool
// DisableReverseTunnel disables reverse tunnel on the proxy
DisableReverseTunnel bool
2016-04-06 08:15:04 +00:00
2021-01-15 02:21:38 +00:00
// DisableDatabaseProxy disables database access proxy listener
DisableDatabaseProxy bool
2015-10-24 23:04:13 +00:00
// ReverseTunnelListenAddr is address where reverse tunnel dialers connect to
2016-02-14 05:09:17 +00:00
ReverseTunnelListenAddr utils . NetAddr
2015-10-24 23:04:13 +00:00
2018-01-06 00:20:56 +00:00
// EnableProxyProtocol enables proxy protocol support
EnableProxyProtocol bool
2015-10-24 23:04:13 +00:00
// WebAddr is address for web portal of the proxy
2016-02-14 05:09:17 +00:00
WebAddr utils . NetAddr
2015-10-24 23:04:13 +00:00
2015-11-02 21:02:34 +00:00
// SSHAddr is address of ssh proxy
2016-02-14 05:09:17 +00:00
SSHAddr utils . NetAddr
2015-10-31 01:17:37 +00:00
2021-02-10 19:08:13 +00:00
// MySQLAddr is address of MySQL proxy.
MySQLAddr utils . NetAddr
2020-10-05 22:12:25 +00:00
Limiter limiter . Config
2017-03-17 01:22:27 +00:00
2018-08-29 22:54:35 +00:00
// PublicAddrs is a list of the public addresses the proxy advertises
// for the HTTP endpoint. The hosts in in PublicAddr are included in the
// list of host principals on the TLS and SSH certificate.
2018-05-02 22:45:31 +00:00
PublicAddrs [ ] utils . NetAddr
2018-08-02 00:25:16 +00:00
2018-08-29 22:54:35 +00:00
// SSHPublicAddrs is a list of the public addresses the proxy advertises
// for the SSH endpoint. The hosts in in PublicAddr are included in the
// list of host principals on the TLS and SSH certificate.
SSHPublicAddrs [ ] utils . NetAddr
Added support for nodes dialing back to cluster.
Updated services.ReverseTunnel to support type (proxy or node). For
proxy types, which represent trusted cluster connections, when a
services.ReverseTunnel is created, it's created on the remote side with
name /reverseTunnels/example.com. For node types, services.ReverseTunnel
is created on the main side as /reverseTunnels/{nodeUUID}.clusterName.
Updated services.TunnelConn to support type (proxy or node). For proxy
types, which represent trusted cluster connections, tunnel connections
are created on the main side under
/tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com.
For nodes, tunnel connections are created on the main side under
/tunnelConnections/example.com/{proxyUUID}-example.com. This allows
searching for tunnel connections by cluster then allows easily creating
a set of proxies that are missing matching services.TunnelConn.
The reverse tunnel server has been updated to handle heartbeats from
proxies as well as nodes. Proxy heartbeat behavior has not changed.
Heartbeats from nodes now add remote connections to the matching local
site. In addition, the reverse tunnel server now proxies connection to
the Auth Server for requests that are already authenticated (a second
authentication to the Auth Server is required).
For registration, nodes try and connect to the Auth Server to fetch host
credentials. Upon failure, nodes now try and fallback to fetching host
credentials from the web proxy.
To establish a connection to an Auth Server, nodes first try and connect
directly, and if the connection fails, fallback to obtaining a
connection to the Auth Server through the reverse tunnel. If a
connection is established directly, node startup behavior has not
changed. If a node establishes a connection through the reverse tunnel,
it creates an AgentPool that attempts to dial back to the cluster and
establish a reverse tunnel.
When nodes heartbeat, they also heartbeat if they are connected directly
to the cluster or through a reverse tunnel. For nodes that are connected
through a reverse tunnel, the proxy subsystem now directs the reverse
tunnel server to establish a connection through the reverse tunnel
instead of directly.
When sending discovery requests, the domain field has been replaced with
tunnelID. The tunnelID field is either the cluster name (same as before)
for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// TunnelPublicAddrs is a list of the public addresses the proxy advertises
2021-04-15 19:11:48 +00:00
// for the tunnel endpoint. The hosts in PublicAddr are included in the
Added support for nodes dialing back to cluster.
Updated services.ReverseTunnel to support type (proxy or node). For
proxy types, which represent trusted cluster connections, when a
services.ReverseTunnel is created, it's created on the remote side with
name /reverseTunnels/example.com. For node types, services.ReverseTunnel
is created on the main side as /reverseTunnels/{nodeUUID}.clusterName.
Updated services.TunnelConn to support type (proxy or node). For proxy
types, which represent trusted cluster connections, tunnel connections
are created on the main side under
/tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com.
For nodes, tunnel connections are created on the main side under
/tunnelConnections/example.com/{proxyUUID}-example.com. This allows
searching for tunnel connections by cluster then allows easily creating
a set of proxies that are missing matching services.TunnelConn.
The reverse tunnel server has been updated to handle heartbeats from
proxies as well as nodes. Proxy heartbeat behavior has not changed.
Heartbeats from nodes now add remote connections to the matching local
site. In addition, the reverse tunnel server now proxies connection to
the Auth Server for requests that are already authenticated (a second
authentication to the Auth Server is required).
For registration, nodes try and connect to the Auth Server to fetch host
credentials. Upon failure, nodes now try and fallback to fetching host
credentials from the web proxy.
To establish a connection to an Auth Server, nodes first try and connect
directly, and if the connection fails, fallback to obtaining a
connection to the Auth Server through the reverse tunnel. If a
connection is established directly, node startup behavior has not
changed. If a node establishes a connection through the reverse tunnel,
it creates an AgentPool that attempts to dial back to the cluster and
establish a reverse tunnel.
When nodes heartbeat, they also heartbeat if they are connected directly
to the cluster or through a reverse tunnel. For nodes that are connected
through a reverse tunnel, the proxy subsystem now directs the reverse
tunnel server to establish a connection through the reverse tunnel
instead of directly.
When sending discovery requests, the domain field has been replaced with
tunnelID. The tunnelID field is either the cluster name (same as before)
for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
// list of host principals on the TLS and SSH certificate.
TunnelPublicAddrs [ ] utils . NetAddr
2021-04-22 02:52:52 +00:00
// PostgresPublicAddrs is a list of the public addresses the proxy
// advertises for Postgres clients.
PostgresPublicAddrs [ ] utils . NetAddr
// MySQLPublicAddrs is a list of the public addresses the proxy
// advertises for MySQL clients.
MySQLPublicAddrs [ ] utils . NetAddr
2018-08-02 00:25:16 +00:00
// Kube specifies kubernetes proxy configuration
Kube KubeProxyConfig
2020-10-19 00:09:29 +00:00
// KeyPairs are the key and certificate pairs that the proxy will load.
KeyPairs [ ] KeyPairPath
2020-12-20 03:56:03 +00:00
// ACME is ACME protocol support config
ACME ACME
}
// ACME configures ACME automatic certificate renewal
type ACME struct {
// Enabled enables or disables ACME support
Enabled bool
// Email receives notifications from ACME server
Email string
// URI is ACME server URI
URI string
2020-10-19 00:09:29 +00:00
}
// KeyPairPath are paths to a key and certificate file.
type KeyPairPath struct {
// PrivateKey is the path to a PEM encoded private key.
PrivateKey string
// Certificate is the path to a PEM encoded certificate.
Certificate string
2018-08-02 00:25:16 +00:00
}
2020-10-28 21:52:08 +00:00
// KubeAddr returns the address for the Kubernetes endpoint on this proxy that
// can be reached by clients.
2020-09-30 21:04:09 +00:00
func ( c ProxyConfig ) KubeAddr ( ) ( string , error ) {
if ! c . Kube . Enabled {
return "" , trace . NotFound ( "kubernetes support not enabled on this proxy" )
}
if len ( c . Kube . PublicAddrs ) > 0 {
return fmt . Sprintf ( "https://%s" , c . Kube . PublicAddrs [ 0 ] . Addr ) , nil
}
host := "<proxyhost>"
// Try to guess the hostname from the HTTP public_addr.
if len ( c . PublicAddrs ) > 0 {
host = c . PublicAddrs [ 0 ] . Host ( )
}
2020-10-19 17:28:10 +00:00
u := url . URL {
Scheme : "https" ,
Host : net . JoinHostPort ( host , strconv . Itoa ( c . Kube . ListenAddr . Port ( defaults . KubeListenPort ) ) ) ,
}
return u . String ( ) , nil
2020-09-30 21:04:09 +00:00
}
2018-08-02 00:25:16 +00:00
// KubeProxyConfig specifies configuration for proxy service
type KubeProxyConfig struct {
// Enabled turns kubernetes proxy role on or off for this process
Enabled bool
2020-09-30 21:04:09 +00:00
// ListenAddr is the address to listen on for incoming kubernetes requests.
2018-08-02 00:25:16 +00:00
ListenAddr utils . NetAddr
// ClusterOverride causes all traffic to go to a specific remote
// cluster, used only in tests
ClusterOverride string
// PublicAddrs is a list of the public addresses the Teleport Kube proxy can be accessed by,
// it also affects the host principals and routing logic
PublicAddrs [ ] utils . NetAddr
2019-03-11 03:25:43 +00:00
// KubeconfigPath is a path to kubeconfig
KubeconfigPath string
2021-05-26 00:50:35 +00:00
// LegacyKubeProxy specifies that this proxy was configured using the
// legacy kubernetes section.
LegacyKubeProxy bool
2015-10-24 23:04:13 +00:00
}
2016-03-28 19:58:34 +00:00
// AuthConfig is a configuration of the auth server
2015-10-13 00:50:36 +00:00
type AuthConfig struct {
2015-10-24 23:04:13 +00:00
// Enabled turns auth role on or off for this process
2016-02-14 05:09:17 +00:00
Enabled bool
2015-10-24 23:04:13 +00:00
2017-11-25 01:09:11 +00:00
// EnableProxyProtocol enables proxy protocol support
EnableProxyProtocol bool
2015-10-13 00:50:36 +00:00
// SSHAddr is the listening address of SSH tunnel to HTTP service
2016-02-14 05:09:17 +00:00
SSHAddr utils . NetAddr
2015-10-24 23:04:13 +00:00
2016-03-28 19:58:34 +00:00
// Authorities is a set of trusted certificate authorities
// that will be added by this auth server on the first start
2021-06-04 20:29:31 +00:00
Authorities [ ] types . CertAuthority
2015-10-13 00:50:36 +00:00
2019-08-29 23:16:03 +00:00
// Resources is a set of previously backed up resources
// used to bootstrap backend state on the first start.
2021-06-04 20:29:31 +00:00
Resources [ ] types . Resource
2019-08-29 23:16:03 +00:00
2016-12-30 22:47:52 +00:00
// Roles is a set of roles to pre-provision for this cluster
2021-06-04 20:29:31 +00:00
Roles [ ] types . Role
2016-12-30 22:47:52 +00:00
2017-07-28 18:37:12 +00:00
// ClusterName is a name that identifies this authority and all
2016-03-12 04:09:40 +00:00
// host nodes in the cluster that will share this authority domain name
// as a base name, e.g. if authority domain name is example.com,
// all nodes in the cluster will have UUIDs in the form: <uuid>.example.com
2021-06-04 20:29:31 +00:00
ClusterName types . ClusterName
2016-03-12 04:09:40 +00:00
2016-05-12 07:44:25 +00:00
// StaticTokens are pre-defined host provisioning tokens supplied via config file for
// environments where paranoid security is not needed
2021-06-04 20:29:31 +00:00
StaticTokens types . StaticTokens
2016-05-12 07:44:25 +00:00
2017-03-01 01:38:31 +00:00
// StorageConfig contains configuration settings for the storage backend.
2017-01-16 00:27:19 +00:00
StorageConfig backend . Config
2015-12-02 18:51:32 +00:00
2020-10-05 22:12:25 +00:00
Limiter limiter . Config
2016-09-06 05:12:57 +00:00
// NoAudit, when set to true, disables session recording and event audit
NoAudit bool
2016-10-14 06:51:16 +00:00
2017-02-14 02:29:27 +00:00
// Preference defines the authentication preference (type and second factor) for
// the auth server.
2021-06-04 20:29:31 +00:00
Preference types . AuthPreference
2017-11-22 01:35:58 +00:00
2017-11-29 00:15:46 +00:00
// ClusterConfig stores cluster level configuration.
2021-06-04 20:29:31 +00:00
ClusterConfig types . ClusterConfig
2017-11-29 00:15:46 +00:00
2021-06-14 20:49:22 +00:00
// AuditConfig stores cluster audit configuration.
AuditConfig types . ClusterAuditConfig
2021-05-07 11:54:08 +00:00
// NetworkingConfig stores cluster networking configuration.
NetworkingConfig types . ClusterNetworkingConfig
2021-05-19 19:01:37 +00:00
// SessionRecordingConfig stores session recording configuration.
SessionRecordingConfig types . SessionRecordingConfig
2017-11-22 01:35:58 +00:00
// LicenseFile is a full path to the license file
LicenseFile string
2018-05-02 22:45:31 +00:00
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
PublicAddrs [ ] utils . NetAddr
2015-10-13 00:50:36 +00:00
}
// SSHConfig configures SSH server node role
type SSHConfig struct {
2017-05-26 19:28:46 +00:00
Enabled bool
Addr utils . NetAddr
Namespace string
Shell string
2020-10-05 22:12:25 +00:00
Limiter limiter . Config
2017-05-26 19:28:46 +00:00
Labels map [ string ] string
CmdLabels services . CommandLabels
PermitUserEnvironment bool
2018-02-24 01:23:09 +00:00
// PAM holds PAM configuration for Teleport.
PAM * pam . Config
2018-05-02 22:45:31 +00:00
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
PublicAddrs [ ] utils . NetAddr
2019-11-16 00:39:40 +00:00
// BPF holds BPF configuration for Teleport.
BPF * bpf . Config
2021-04-15 19:11:48 +00:00
// ProxyReverseTunnelFallbackAddr optionall specifies the address of the proxy if reverse tunnel
// discovered proxy fails.
// This configuration is not exposed directly but can be set from environment via
// defaults.ProxyFallbackAddrEnvar.
//
// See github.com/gravitational/teleport/issues/4141 for details.
ProxyReverseTunnelFallbackAddr * utils . NetAddr
2021-06-17 01:17:26 +00:00
// AllowTCPForwarding indicates that TCP port forwarding is allowed on this node
AllowTCPForwarding bool
2015-10-13 00:50:36 +00:00
}
2020-10-19 17:28:10 +00:00
// KubeConfig specifies configuration for kubernetes service
type KubeConfig struct {
// Enabled turns kubernetes service role on or off for this process
Enabled bool
// ListenAddr is the address to listen on for incoming kubernetes requests.
// Optional.
ListenAddr * utils . NetAddr
// PublicAddrs is a list of the public addresses the Teleport kubernetes
// service can be reached by the proxy service.
PublicAddrs [ ] utils . NetAddr
// KubeClusterName is the name of a kubernetes cluster this proxy is running
// in. If empty, defaults to the Teleport cluster name.
KubeClusterName string
// KubeconfigPath is a path to kubeconfig
KubeconfigPath string
// Labels are used for RBAC on clusters.
StaticLabels map [ string ] string
DynamicLabels services . CommandLabels
2020-10-30 17:19:53 +00:00
// Limiter limits the connection and request rates.
Limiter limiter . Config
2020-10-19 17:28:10 +00:00
}
2021-01-15 02:21:38 +00:00
// DatabasesConfig configures the database proxy service.
type DatabasesConfig struct {
// Enabled enables the database proxy service.
Enabled bool
// Databases is a list of databases proxied by this service.
Databases [ ] Database
}
// Database represents a single database that's being proxied.
type Database struct {
// Name is the database name, used to refer to in CLI.
Name string
// Description is a free-form database description.
Description string
// Protocol is the database type, e.g. postgres or mysql.
Protocol string
// URI is the database endpoint to connect to.
URI string
// StaticLabels is a map of database static labels.
StaticLabels map [ string ] string
// DynamicLabels is a list of database dynamic labels.
DynamicLabels services . CommandLabels
// CACert is an optional database CA certificate.
CACert [ ] byte
2021-04-26 18:53:10 +00:00
// AWS contains AWS specific settings for RDS/Aurora/Redshift databases.
2021-01-15 02:21:38 +00:00
AWS DatabaseAWS
2021-04-26 18:53:10 +00:00
// GCP contains GCP specific settings for Cloud SQL databases.
2021-03-22 16:38:05 +00:00
GCP DatabaseGCP
2021-01-15 02:21:38 +00:00
}
// DatabaseAWS contains AWS specific settings for RDS/Aurora databases.
type DatabaseAWS struct {
// Region is the cloud region database is running in when using AWS RDS.
Region string
2021-04-26 18:53:10 +00:00
// Redshift contains Redshift specific settings.
Redshift DatabaseAWSRedshift
}
// DatabaseAWSRedshift contains AWS Redshift specific settings.
type DatabaseAWSRedshift struct {
// ClusterID is the Redshift cluster identifier.
ClusterID string
2021-01-15 02:21:38 +00:00
}
2021-03-22 16:38:05 +00:00
// DatabaseGCP contains GCP specific settings for Cloud SQL databases.
type DatabaseGCP struct {
// ProjectID is the GCP project ID where the database is deployed.
ProjectID string
// InstanceID is the Cloud SQL instance ID.
InstanceID string
}
2021-01-15 02:21:38 +00:00
// Check validates the database proxy configuration.
func ( d * Database ) Check ( ) error {
if d . Name == "" {
return trace . BadParameter ( "empty database name" )
}
// Unlike application access proxy, database proxy name doesn't necessarily
// need to be a valid subdomain but use the same validation logic for the
// simplicity and consistency.
if errs := validation . IsDNS1035Label ( d . Name ) ; len ( errs ) > 0 {
return trace . BadParameter ( "invalid database %q name: %v" , d . Name , errs )
}
2021-06-08 19:08:55 +00:00
if ! apiutils . SliceContainsStr ( defaults . DatabaseProtocols , d . Protocol ) {
2021-01-15 02:21:38 +00:00
return trace . BadParameter ( "unsupported database %q protocol %q, supported are: %v" ,
d . Name , d . Protocol , defaults . DatabaseProtocols )
}
if _ , _ , err := net . SplitHostPort ( d . URI ) ; err != nil {
return trace . BadParameter ( "invalid database %q address %q: %v" ,
d . Name , d . URI , err )
}
if len ( d . CACert ) != 0 {
if _ , err := tlsca . ParseCertificatePEM ( d . CACert ) ; err != nil {
return trace . BadParameter ( "provided database %q CA doesn't appear to be a valid x509 certificate: %v" ,
d . Name , err )
}
}
2021-04-26 18:53:10 +00:00
// Validate Redshift specific configuration.
if d . AWS . Redshift . ClusterID != "" {
if d . AWS . Region == "" {
return trace . BadParameter ( "missing AWS region for Redshift database %q" , d . Name )
}
}
2021-03-22 16:38:05 +00:00
// Validate Cloud SQL specific configuration.
switch {
case d . GCP . ProjectID != "" && d . GCP . InstanceID == "" :
return trace . BadParameter ( "missing Cloud SQL instance ID for database %q" , d . Name )
case d . GCP . ProjectID == "" && d . GCP . InstanceID != "" :
return trace . BadParameter ( "missing Cloud SQL project ID for database %q" , d . Name )
case d . GCP . ProjectID != "" && d . GCP . InstanceID != "" :
// Only Postgres Cloud SQL instances currently support IAM authentication.
// It's a relatively new feature so we'll be able to enable it once it
// expands to MySQL as well:
// https://cloud.google.com/sql/docs/postgres/authentication
if d . Protocol != defaults . ProtocolPostgres {
return trace . BadParameter ( "Cloud SQL IAM authentication is currently supported only for PostgreSQL databases, can't use database %q with protocol %q" , d . Name , d . Protocol )
}
// TODO(r0mant): See if we can download it automatically similar to RDS:
// https://cloud.google.com/sql/docs/postgres/instance-info#rest-v1beta4
if len ( d . CACert ) == 0 {
return trace . BadParameter ( "missing Cloud SQL instance root certificate for database %q" , d . Name )
}
}
2021-01-15 02:21:38 +00:00
return nil
}
2020-10-19 00:09:29 +00:00
// AppsConfig configures application proxy service.
type AppsConfig struct {
// Enabled enables application proxying service.
Enabled bool
// DebugApp enabled a header dumping debugging application.
DebugApp bool
// Apps is the list of applications that are being proxied.
Apps [ ] App
}
// App is the specific application that will be proxied by the application
// service. This needs to exist because if the "config" package tries to
// directly create a services.App it will get into circular imports.
type App struct {
// Name of the application.
Name string
2021-03-22 16:18:53 +00:00
// Description is the app description.
Description string
2020-10-19 00:09:29 +00:00
// URI is the internal address of the application.
URI string
// Public address of the application. This is the address users will access
// the application at.
PublicAddr string
// StaticLabels is a map of static labels to apply to this application.
StaticLabels map [ string ] string
// DynamicLabels is a list of dynamic labels to apply to this application.
DynamicLabels services . CommandLabels
// InsecureSkipVerify is used to skip validating the server's certificate.
InsecureSkipVerify bool
// Rewrite defines a block that is used to rewrite requests and responses.
Rewrite * Rewrite
}
2020-11-17 05:03:26 +00:00
// Check validates an application.
func ( a App ) Check ( ) error {
if a . Name == "" {
return trace . BadParameter ( "missing application name" )
}
if a . URI == "" {
2021-05-06 18:24:49 +00:00
return trace . BadParameter ( "missing application %q URI" , a . Name )
2020-11-17 05:03:26 +00:00
}
// Check if the application name is a valid subdomain. Don't allow names that
// are invalid subdomains because for trusted clusters the name is used to
// construct the domain that the application will be available at.
if errs := validation . IsDNS1035Label ( a . Name ) ; len ( errs ) > 0 {
2020-11-25 19:18:55 +00:00
return trace . BadParameter ( "application name %q must be a valid DNS subdomain: https://goteleport.com/teleport/docs/application-access/#application-name" , a . Name )
2020-11-17 05:03:26 +00:00
}
// Parse and validate URL.
if _ , err := url . Parse ( a . URI ) ; err != nil {
2021-05-06 18:24:49 +00:00
return trace . BadParameter ( "application %q URI invalid: %v" , a . Name , err )
2020-11-17 05:03:26 +00:00
}
// If a port was specified or an IP address was provided for the public
// address, return an error.
if a . PublicAddr != "" {
if _ , _ , err := net . SplitHostPort ( a . PublicAddr ) ; err == nil {
2021-05-06 18:24:49 +00:00
return trace . BadParameter ( "application %q public_addr %q can not contain a port, applications will be available on the same port as the web proxy" , a . Name , a . PublicAddr )
2020-11-17 05:03:26 +00:00
}
if net . ParseIP ( a . PublicAddr ) != nil {
2021-05-06 18:24:49 +00:00
return trace . BadParameter ( "application %q public_addr %q can not be an IP address, Teleport Application Access uses DNS names for routing" , a . Name , a . PublicAddr )
}
}
// Make sure there are no reserved headers in the rewrite configuration.
// They wouldn't be rewritten even if we allowed them here but catch it
// early and let the user know.
if a . Rewrite != nil {
for _ , h := range a . Rewrite . Headers {
if app . IsReservedHeader ( h . Name ) {
return trace . BadParameter ( "invalid application %q header rewrite configuration: header %q is reserved and can't be rewritten" ,
a . Name , http . CanonicalHeaderKey ( h . Name ) )
}
2020-11-17 05:03:26 +00:00
}
}
return nil
}
2020-10-19 00:09:29 +00:00
// Rewrite is a list of rewriting rules to apply to requests and responses.
type Rewrite struct {
// Redirect is a list of hosts that should be rewritten to the public address.
Redirect [ ] string
2021-05-06 18:24:49 +00:00
// Headers is a list of extra headers to inject in the request.
Headers [ ] Header
}
// Header represents a single http header passed over to the proxied application.
type Header struct {
// Name is the http header name.
Name string
// Value is the http header value.
Value string
}
// ParseHeader parses the provided string as a http header.
func ParseHeader ( header string ) ( * Header , error ) {
parts := strings . SplitN ( header , ":" , 2 )
if len ( parts ) != 2 {
return nil , trace . BadParameter ( "failed to parse %q as http header" , header )
}
name := strings . TrimSpace ( parts [ 0 ] )
value := strings . TrimSpace ( parts [ 1 ] )
if ! httpguts . ValidHeaderFieldName ( name ) {
return nil , trace . BadParameter ( "invalid http header name: %q" , header )
}
if ! httpguts . ValidHeaderFieldValue ( value ) {
return nil , trace . BadParameter ( "invalid http header value: %q" , header )
}
return & Header {
Name : name ,
Value : value ,
} , nil
}
// ParseHeaders parses the provided list as http headers.
func ParseHeaders ( headers [ ] string ) ( headersOut [ ] Header , err error ) {
for _ , header := range headers {
h , err := ParseHeader ( header )
if err != nil {
return nil , trace . Wrap ( err )
}
headersOut = append ( headersOut , * h )
}
return headersOut , nil
2020-10-19 00:09:29 +00:00
}
2016-03-28 19:58:34 +00:00
// MakeDefaultConfig creates a new Config structure and populates it with defaults
2016-02-24 07:35:25 +00:00
func MakeDefaultConfig ( ) ( config * Config ) {
2016-02-10 00:09:21 +00:00
config = & Config { }
2016-02-24 07:35:25 +00:00
ApplyDefaults ( config )
return config
2016-02-10 00:09:21 +00:00
}
2016-02-17 19:58:28 +00:00
// ApplyDefaults applies default values to the existing config structure
2016-02-24 07:35:25 +00:00
func ApplyDefaults ( cfg * Config ) {
2018-05-08 20:30:37 +00:00
// Get defaults for Cipher, Kex algorithms, and MAC algorithms from
2017-06-10 02:32:31 +00:00
// golang.org/x/crypto/ssh default config.
var sc ssh . Config
sc . SetDefaults ( )
2020-12-07 14:35:15 +00:00
if cfg . Log == nil {
cfg . Log = utils . NewLogger ( )
}
2018-05-08 20:30:37 +00:00
// Remove insecure and (borderline insecure) cryptographic primitives from
// default configuration. These can still be added back in file configuration by
// users, but not supported by default by Teleport. See #1856 for more
// details.
kex := utils . RemoveFromSlice ( sc . KeyExchanges ,
defaults . DiffieHellmanGroup1SHA1 ,
defaults . DiffieHellmanGroup14SHA1 )
macs := utils . RemoveFromSlice ( sc . MACs ,
defaults . HMACSHA1 ,
defaults . HMACSHA196 )
2016-02-10 00:09:21 +00:00
hostname , err := os . Hostname ( )
if err != nil {
2016-02-24 07:35:25 +00:00
hostname = "localhost"
2020-12-07 14:35:15 +00:00
cfg . Log . Errorf ( "Failed to determine hostname: %v." , err )
2016-02-10 00:09:21 +00:00
}
2019-11-16 00:39:40 +00:00
// Global defaults.
2017-01-16 00:27:19 +00:00
cfg . Hostname = hostname
cfg . DataDir = defaults . DataDir
cfg . Console = os . Stdout
2018-06-08 23:50:43 +00:00
cfg . CipherSuites = utils . DefaultCipherSuites ( )
2017-06-10 02:32:31 +00:00
cfg . Ciphers = sc . Ciphers
2018-05-08 20:30:37 +00:00
cfg . KEXAlgorithms = kex
cfg . MACAlgorithms = macs
2017-01-16 00:27:19 +00:00
2019-11-16 00:39:40 +00:00
// Auth service defaults.
2016-02-10 00:09:21 +00:00
cfg . Auth . Enabled = true
cfg . Auth . SSHAddr = * defaults . AuthListenAddr ( )
2019-07-02 21:35:17 +00:00
cfg . Auth . StorageConfig . Type = lite . GetName ( )
2018-05-03 17:58:22 +00:00
cfg . Auth . StorageConfig . Params = backend . Params { defaults . BackendPath : filepath . Join ( cfg . DataDir , defaults . BackendDir ) }
2017-10-11 19:09:06 +00:00
cfg . Auth . StaticTokens = services . DefaultStaticTokens ( )
2017-10-31 18:03:29 +00:00
cfg . Auth . ClusterConfig = services . DefaultClusterConfig ( )
2021-06-14 20:49:22 +00:00
cfg . Auth . AuditConfig = types . DefaultClusterAuditConfig ( )
2021-05-07 11:54:08 +00:00
cfg . Auth . NetworkingConfig = types . DefaultClusterNetworkingConfig ( )
2021-05-19 19:01:37 +00:00
cfg . Auth . SessionRecordingConfig = types . DefaultSessionRecordingConfig ( )
2021-06-04 20:29:31 +00:00
cfg . Auth . Preference = types . DefaultAuthPreference ( )
2016-02-10 00:09:21 +00:00
defaults . ConfigureLimiter ( & cfg . Auth . Limiter )
2017-11-22 01:35:58 +00:00
cfg . Auth . LicenseFile = filepath . Join ( cfg . DataDir , defaults . LicenseFile )
2016-02-10 00:09:21 +00:00
2019-11-16 00:39:40 +00:00
// Proxy service defaults.
2016-02-10 00:09:21 +00:00
cfg . Proxy . Enabled = true
cfg . Proxy . SSHAddr = * defaults . ProxyListenAddr ( )
cfg . Proxy . WebAddr = * defaults . ProxyWebListenAddr ( )
2019-08-13 17:03:22 +00:00
cfg . Proxy . ReverseTunnelListenAddr = * defaults . ReverseTunnelListenAddr ( )
2016-02-10 00:09:21 +00:00
defaults . ConfigureLimiter ( & cfg . Proxy . Limiter )
2019-11-16 00:39:40 +00:00
// Kubernetes proxy service defaults.
2018-08-02 00:25:16 +00:00
cfg . Proxy . Kube . Enabled = false
cfg . Proxy . Kube . ListenAddr = * defaults . KubeProxyListenAddr ( )
2019-11-16 00:39:40 +00:00
// SSH service defaults.
2016-02-10 00:09:21 +00:00
cfg . SSH . Enabled = true
2016-02-16 21:18:58 +00:00
cfg . SSH . Shell = defaults . DefaultShell
2016-02-10 00:09:21 +00:00
defaults . ConfigureLimiter ( & cfg . SSH . Limiter )
2018-02-24 01:23:09 +00:00
cfg . SSH . PAM = & pam . Config { Enabled : false }
2019-11-16 00:39:40 +00:00
cfg . SSH . BPF = & bpf . Config { Enabled : false }
2021-06-17 01:17:26 +00:00
cfg . SSH . AllowTCPForwarding = true
2020-10-19 17:28:10 +00:00
// Kubernetes service defaults.
cfg . Kube . Enabled = false
2020-10-30 17:19:53 +00:00
defaults . ConfigureLimiter ( & cfg . Kube . Limiter )
2020-10-19 00:09:29 +00:00
// Apps service defaults. It's disabled by default.
cfg . Apps . Enabled = false
2021-01-15 02:21:38 +00:00
// Databases proxy service is disabled by default.
cfg . Databases . Enabled = false
2016-02-10 00:09:21 +00:00
}
2019-03-12 22:30:44 +00:00
// ApplyFIPSDefaults updates default configuration to be FedRAMP/FIPS 140-2
// compliant.
func ApplyFIPSDefaults ( cfg * Config ) {
cfg . FIPS = true
// Update TLS and SSH cryptographic primitives.
cfg . CipherSuites = defaults . FIPSCipherSuites
cfg . Ciphers = defaults . FIPSCiphers
cfg . KEXAlgorithms = defaults . FIPSKEXAlgorithms
cfg . MACAlgorithms = defaults . FIPSMACAlgorithms
// Only SSO based authentication is supported in FIPS mode. The SSO
// provider is where any FedRAMP/FIPS 140-2 compliance (like password
// complexity) should be enforced.
2021-06-07 18:07:02 +00:00
cfg . Auth . Preference . SetAllowLocalAuth ( false )
2019-03-12 22:30:44 +00:00
// Update cluster configuration to record sessions at node, this way the
// entire cluster is FedRAMP/FIPS 140-2 compliant.
2021-06-04 20:29:31 +00:00
cfg . Auth . SessionRecordingConfig . SetMode ( types . RecordAtNode )
2019-03-12 22:30:44 +00:00
}