2015-10-31 18:56:49 +00:00
|
|
|
/*
|
|
|
|
Copyright 2015 Gravitational, Inc.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
2016-03-12 04:09:40 +00:00
|
|
|
|
2015-10-13 00:50:36 +00:00
|
|
|
package service
|
|
|
|
|
|
|
|
import (
|
2017-04-07 23:51:31 +00:00
|
|
|
"fmt"
|
2016-03-11 01:03:01 +00:00
|
|
|
"io"
|
2016-02-10 00:09:21 +00:00
|
|
|
"os"
|
2017-11-22 01:35:58 +00:00
|
|
|
"path/filepath"
|
2017-04-07 23:51:31 +00:00
|
|
|
"time"
|
2016-02-09 21:46:34 +00:00
|
|
|
|
2017-06-10 02:32:31 +00:00
|
|
|
"golang.org/x/crypto/ssh"
|
|
|
|
|
2016-03-28 19:58:34 +00:00
|
|
|
"github.com/gravitational/teleport/lib/auth"
|
2016-12-27 02:50:59 +00:00
|
|
|
"github.com/gravitational/teleport/lib/backend"
|
2019-07-02 21:35:17 +00:00
|
|
|
"github.com/gravitational/teleport/lib/backend/lite"
|
2019-11-16 00:39:40 +00:00
|
|
|
"github.com/gravitational/teleport/lib/bpf"
|
2016-02-10 00:09:21 +00:00
|
|
|
"github.com/gravitational/teleport/lib/defaults"
|
2018-03-04 02:26:44 +00:00
|
|
|
"github.com/gravitational/teleport/lib/events"
|
2015-12-03 09:26:34 +00:00
|
|
|
"github.com/gravitational/teleport/lib/limiter"
|
2018-02-24 01:23:09 +00:00
|
|
|
"github.com/gravitational/teleport/lib/pam"
|
2015-10-25 23:13:12 +00:00
|
|
|
"github.com/gravitational/teleport/lib/services"
|
2017-11-25 01:09:11 +00:00
|
|
|
"github.com/gravitational/teleport/lib/sshca"
|
2015-10-25 23:13:12 +00:00
|
|
|
"github.com/gravitational/teleport/lib/utils"
|
|
|
|
|
2017-08-28 18:42:14 +00:00
|
|
|
"github.com/ghodss/yaml"
|
2019-07-17 19:51:18 +00:00
|
|
|
"github.com/gravitational/trace"
|
2018-10-26 22:20:02 +00:00
|
|
|
"github.com/jonboulle/clockwork"
|
2015-10-13 00:50:36 +00:00
|
|
|
)
|
|
|
|
|
2019-10-22 18:10:28 +00:00
|
|
|
// Config structure is used to initialize _all_ services Teleport can run.
|
2017-11-25 01:09:11 +00:00
|
|
|
// Some settings are global (like DataDir) while others are grouped into
|
2016-02-14 05:09:17 +00:00
|
|
|
// sections, like AuthConfig
|
2015-10-13 00:50:36 +00:00
|
|
|
type Config struct {
|
2016-03-28 19:58:34 +00:00
|
|
|
// DataDir provides directory where teleport stores it's permanent state
|
|
|
|
// (in case of auth server backed by BoltDB) or local state, e.g. keys
|
|
|
|
DataDir string
|
|
|
|
|
|
|
|
// Hostname is a node host name
|
2016-02-14 05:09:17 +00:00
|
|
|
Hostname string
|
2015-10-13 00:50:36 +00:00
|
|
|
|
2016-05-12 07:44:25 +00:00
|
|
|
// Token is used to register this Teleport instance with the auth server
|
|
|
|
Token string
|
|
|
|
|
2016-03-18 01:42:04 +00:00
|
|
|
// AuthServers is a list of auth servers nodes, proxies and peer auth servers
|
|
|
|
// connect to
|
2016-03-28 19:58:34 +00:00
|
|
|
AuthServers []utils.NetAddr
|
|
|
|
|
|
|
|
// Identities is an optional list of pre-generated key pairs
|
|
|
|
// for teleport roles, this is helpful when server is preconfigured
|
|
|
|
Identities []*auth.Identity
|
2015-10-13 00:50:36 +00:00
|
|
|
|
2018-05-02 22:45:31 +00:00
|
|
|
// AdvertiseIP is used to "publish" an alternative IP address or hostname this node
|
2016-03-12 04:09:40 +00:00
|
|
|
// can be reached on, if running behind NAT
|
2018-05-02 22:45:31 +00:00
|
|
|
AdvertiseIP string
|
2016-03-12 04:09:40 +00:00
|
|
|
|
2017-04-07 23:51:31 +00:00
|
|
|
// CachePolicy sets caching policy for nodes and proxies
|
|
|
|
// in case if they loose connection to auth servers
|
|
|
|
CachePolicy CachePolicy
|
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// SSH role an SSH endpoint server
|
2016-02-14 05:09:17 +00:00
|
|
|
SSH SSHConfig
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2017-11-22 01:35:58 +00:00
|
|
|
// Auth server authentication and authorization server config
|
2016-02-14 05:09:17 +00:00
|
|
|
Auth AuthConfig
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2016-04-10 09:44:40 +00:00
|
|
|
// Keygen points to a key generator implementation
|
2017-11-25 01:09:11 +00:00
|
|
|
Keygen sshca.Authority
|
2016-04-10 09:44:40 +00:00
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// Proxy is SSH proxy that manages incoming and outbound connections
|
|
|
|
// via multiple reverse tunnels
|
2016-02-14 05:09:17 +00:00
|
|
|
Proxy ProxyConfig
|
2016-02-08 22:51:22 +00:00
|
|
|
|
2016-03-28 19:58:34 +00:00
|
|
|
// HostUUID is a unique UUID of this host (it will be known via this UUID within
|
2016-03-04 02:02:48 +00:00
|
|
|
// a teleport cluster). It's automatically generated on 1st start
|
|
|
|
HostUUID string
|
|
|
|
|
2016-02-08 22:51:22 +00:00
|
|
|
// Console writer to speak to a user
|
|
|
|
Console io.Writer
|
2016-03-28 19:58:34 +00:00
|
|
|
|
|
|
|
// ReverseTunnels is a list of reverse tunnels to create on the
|
|
|
|
// first cluster start
|
|
|
|
ReverseTunnels []services.ReverseTunnel
|
2016-04-02 00:58:41 +00:00
|
|
|
|
2016-04-03 05:20:51 +00:00
|
|
|
// OIDCConnectors is a list of trusted OpenID Connect identity providers
|
|
|
|
OIDCConnectors []services.OIDCConnector
|
|
|
|
|
2016-04-02 00:58:41 +00:00
|
|
|
// PidFile is a full path of the PID file for teleport daemon
|
2016-04-02 01:03:57 +00:00
|
|
|
PIDFile string
|
2016-04-05 00:26:15 +00:00
|
|
|
|
|
|
|
// Trust is a service that manages users and credentials
|
|
|
|
Trust services.Trust
|
|
|
|
|
|
|
|
// Presence service is a discovery and hearbeat tracker
|
|
|
|
Presence services.Presence
|
|
|
|
|
Events and GRPC API
This commit introduces several key changes to
Teleport backend and API infrastructure
in order to achieve scalability improvements
on 10K+ node deployments.
Events and plain keyspace
--------------------------
New backend interface supports events,
pagination and range queries
and moves away from buckets to
plain keyspace, what better aligns
with DynamoDB and Etcd featuring similar
interfaces.
All backend implementations are
exposing Events API, allowing
multiple subscribers to consume the same
event stream and avoid polling database.
Replacing BoltDB, Dir with SQLite
-------------------------------
BoltDB backend does not support
having two processes access the database at the
same time. This prevented Teleport
using BoltDB backend to be live reloaded.
SQLite supports reads/writes by multiple
processes and makes Dir backend obsolete
as SQLite is more efficient on larger collections,
supports transactions and can detect data
corruption.
Teleport automatically migrates data from
Bolt and Dir backends into SQLite.
GRPC API and protobuf resources
-------------------------------
GRPC API has been introduced for
the auth server. The auth server now serves both GRPC
and JSON-HTTP API on the same TLS socket and uses
the same client certificate authentication.
All future API methods should use GRPC and HTTP-JSON
API is considered obsolete.
In addition to that some resources like
Server and CertificateAuthority are now
generated from protobuf service specifications in
a way that is fully backward compatible with
original JSON spec and schema, so the same resource
can be encoded and decoded from JSON, YAML
and protobuf.
All models should be refactored
into new proto specification over time.
Streaming presence service
--------------------------
In order to cut bandwidth, nodes
are sending full updates only when changes
to labels or spec have occured, otherwise
new light-weight GRPC keep alive updates are sent
over to the presence service, reducing
bandwidth usage on multi-node deployments.
In addition to that nodes are no longer polling
auth server for certificate authority rotation
updates, instead they subscribe to event updates
to detect updates as soon as they happen.
This is a new API, so the errors are inevitable,
that's why polling is still done, but
on a way slower rate.
2018-11-07 23:33:38 +00:00
|
|
|
// Events is events service
|
|
|
|
Events services.Events
|
|
|
|
|
2016-04-05 00:26:15 +00:00
|
|
|
// Provisioner is a service that keeps track of provisioning tokens
|
|
|
|
Provisioner services.Provisioner
|
|
|
|
|
|
|
|
// Trust is a service that manages users and credentials
|
|
|
|
Identity services.Identity
|
2016-06-17 06:50:12 +00:00
|
|
|
|
2016-12-14 23:48:36 +00:00
|
|
|
// Access is a service that controls access
|
|
|
|
Access services.Access
|
2017-06-10 02:32:31 +00:00
|
|
|
|
2018-01-20 19:25:31 +00:00
|
|
|
// ClusterConfiguration is a service that provides cluster configuration
|
|
|
|
ClusterConfiguration services.ClusterConfiguration
|
|
|
|
|
2018-06-08 23:50:43 +00:00
|
|
|
// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
|
|
|
|
// omitted, a Teleport selected list of defaults will be used.
|
|
|
|
CipherSuites []uint16
|
|
|
|
|
|
|
|
// Ciphers is a list of SSH ciphers that the server supports. If omitted,
|
2017-06-10 02:32:31 +00:00
|
|
|
// the defaults will be used.
|
|
|
|
Ciphers []string
|
|
|
|
|
2018-06-08 23:50:43 +00:00
|
|
|
// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
|
2017-06-10 02:32:31 +00:00
|
|
|
// server supports. If omitted, the defaults will be used.
|
|
|
|
KEXAlgorithms []string
|
|
|
|
|
2018-06-08 23:50:43 +00:00
|
|
|
// MACAlgorithms is a list of SSH message authentication codes (MAC) that
|
2017-06-10 02:32:31 +00:00
|
|
|
// the server supports. If omitted the defaults will be used.
|
|
|
|
MACAlgorithms []string
|
2018-02-08 02:32:50 +00:00
|
|
|
|
|
|
|
// DiagnosticAddr is an address for diagnostic and healthz endpoint service
|
|
|
|
DiagnosticAddr utils.NetAddr
|
2018-02-17 23:51:57 +00:00
|
|
|
|
|
|
|
// Debug sets debugging mode, results in diagnostic address
|
|
|
|
// endpoint extended with additional /debug handlers
|
|
|
|
Debug bool
|
2018-03-04 02:26:44 +00:00
|
|
|
|
|
|
|
// UploadEventsC is a channel for upload events
|
|
|
|
// used in tests
|
2018-03-18 02:47:06 +00:00
|
|
|
UploadEventsC chan *events.UploadEvent `json:"-"`
|
2018-04-08 21:37:33 +00:00
|
|
|
|
|
|
|
// FileDescriptors is an optional list of file descriptors for the process
|
|
|
|
// to inherit and use for listeners, used for in-process updates.
|
|
|
|
FileDescriptors []FileDescriptor
|
|
|
|
|
|
|
|
// PollingPeriod is set to override default internal polling periods
|
|
|
|
// of sync agents, used to speed up integration tests.
|
|
|
|
PollingPeriod time.Duration
|
|
|
|
|
|
|
|
// ClientTimeout is set to override default client timeouts
|
|
|
|
// used by internal clients, used to speed up integration tests.
|
|
|
|
ClientTimeout time.Duration
|
|
|
|
|
|
|
|
// ShutdownTimeout is set to override default shutdown timeout.
|
|
|
|
ShutdownTimeout time.Duration
|
2018-10-03 19:35:57 +00:00
|
|
|
|
|
|
|
// CAPin is the SKPI hash of the CA used to verify the Auth Server.
|
|
|
|
CAPin string
|
2018-10-26 22:20:02 +00:00
|
|
|
|
|
|
|
// Clock is used to control time in tests.
|
|
|
|
Clock clockwork.Clock
|
2019-03-12 22:30:44 +00:00
|
|
|
|
|
|
|
// FIPS means FedRAMP/FIPS 140-2 compliant configuration was requested.
|
|
|
|
FIPS bool
|
2019-11-16 00:39:40 +00:00
|
|
|
|
|
|
|
// BPFConfig holds configuration for the BPF service.
|
|
|
|
BPFConfig *bpf.Config
|
2015-10-13 00:50:36 +00:00
|
|
|
}
|
|
|
|
|
2016-02-17 02:19:21 +00:00
|
|
|
// ApplyToken assigns a given token to all internal services but only if token
|
|
|
|
// is not an empty string.
|
|
|
|
//
|
2019-07-17 19:51:18 +00:00
|
|
|
// returns:
|
|
|
|
// true, nil if the token has been modified
|
|
|
|
// false, nil if the token has not been modified
|
|
|
|
// false, err if there was an error
|
|
|
|
func (cfg *Config) ApplyToken(token string) (bool, error) {
|
2016-02-17 02:19:21 +00:00
|
|
|
if token != "" {
|
2019-07-17 19:51:18 +00:00
|
|
|
var err error
|
|
|
|
cfg.Token, err = utils.ReadToken(token)
|
|
|
|
if err != nil {
|
|
|
|
return false, trace.Wrap(err)
|
|
|
|
}
|
|
|
|
return true, nil
|
2016-02-17 02:19:21 +00:00
|
|
|
}
|
2019-07-17 19:51:18 +00:00
|
|
|
return false, nil
|
2016-02-17 02:19:21 +00:00
|
|
|
}
|
|
|
|
|
2016-03-11 01:03:01 +00:00
|
|
|
// RoleConfig is a config for particular Teleport role
|
2015-10-27 00:58:39 +00:00
|
|
|
func (cfg *Config) RoleConfig() RoleConfig {
|
|
|
|
return RoleConfig{
|
|
|
|
DataDir: cfg.DataDir,
|
2016-03-05 00:27:52 +00:00
|
|
|
HostUUID: cfg.HostUUID,
|
2016-03-06 00:47:03 +00:00
|
|
|
HostName: cfg.Hostname,
|
2015-10-27 00:58:39 +00:00
|
|
|
AuthServers: cfg.AuthServers,
|
|
|
|
Auth: cfg.Auth,
|
2016-02-08 22:51:22 +00:00
|
|
|
Console: cfg.Console,
|
2015-10-27 00:58:39 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-03-11 01:03:01 +00:00
|
|
|
// DebugDumpToYAML is useful for debugging: it dumps the Config structure into
|
2016-02-09 04:55:13 +00:00
|
|
|
// a string
|
|
|
|
func (cfg *Config) DebugDumpToYAML() string {
|
2016-03-28 19:58:34 +00:00
|
|
|
shallow := *cfg
|
|
|
|
// do not copy sensitive data to stdout
|
|
|
|
shallow.Identities = nil
|
|
|
|
shallow.Auth.Authorities = nil
|
|
|
|
out, err := yaml.Marshal(shallow)
|
2016-02-09 04:55:13 +00:00
|
|
|
if err != nil {
|
|
|
|
return err.Error()
|
|
|
|
}
|
|
|
|
return string(out)
|
|
|
|
}
|
|
|
|
|
2017-04-07 23:51:31 +00:00
|
|
|
// CachePolicy sets caching policy for proxies and nodes
|
|
|
|
type CachePolicy struct {
|
|
|
|
// Enabled enables or disables caching
|
|
|
|
Enabled bool
|
|
|
|
// TTL sets maximum TTL for the cached values
|
|
|
|
// without explicit TTL set
|
|
|
|
TTL time.Duration
|
|
|
|
// NeverExpires means that cache values without TTL
|
|
|
|
// set by the auth server won't expire
|
|
|
|
NeverExpires bool
|
2018-01-30 23:54:37 +00:00
|
|
|
// RecentTTL is the recently accessed items cache TTL
|
|
|
|
RecentTTL *time.Duration
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetRecentTTL either returns TTL that was set,
|
|
|
|
// or default recent TTL value
|
|
|
|
func (c *CachePolicy) GetRecentTTL() time.Duration {
|
|
|
|
if c.RecentTTL == nil {
|
|
|
|
return defaults.RecentCacheTTL
|
|
|
|
}
|
|
|
|
return *c.RecentTTL
|
2017-04-07 23:51:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// String returns human-friendly representation of the policy
|
|
|
|
func (c CachePolicy) String() string {
|
|
|
|
if !c.Enabled {
|
|
|
|
return "no cache policy"
|
|
|
|
}
|
2018-01-30 23:54:37 +00:00
|
|
|
recentCachePolicy := ""
|
|
|
|
if c.GetRecentTTL() == 0 {
|
|
|
|
recentCachePolicy = "will not cache frequently accessed items"
|
|
|
|
} else {
|
|
|
|
recentCachePolicy = fmt.Sprintf("will cache frequently accessed items for %v", c.GetRecentTTL())
|
|
|
|
}
|
2017-04-07 23:51:31 +00:00
|
|
|
if c.NeverExpires {
|
2018-02-08 02:32:50 +00:00
|
|
|
return fmt.Sprintf("cache that will not expire in case if connection to database is lost, %v", recentCachePolicy)
|
2017-04-07 23:51:31 +00:00
|
|
|
}
|
|
|
|
if c.TTL == 0 {
|
2018-02-08 02:32:50 +00:00
|
|
|
return fmt.Sprintf("cache that will expire after connection to database is lost after %v, %v", defaults.CacheTTL, recentCachePolicy)
|
2017-04-07 23:51:31 +00:00
|
|
|
}
|
2018-02-08 02:32:50 +00:00
|
|
|
return fmt.Sprintf("cache that will expire after connection to database is lost after %v, %v", c.TTL, recentCachePolicy)
|
2017-04-07 23:51:31 +00:00
|
|
|
}
|
|
|
|
|
2018-08-02 00:25:16 +00:00
|
|
|
// ProxyConfig specifies configuration for proxy service
|
2015-10-24 23:04:13 +00:00
|
|
|
type ProxyConfig struct {
|
|
|
|
// Enabled turns proxy role on or off for this process
|
2016-02-14 05:09:17 +00:00
|
|
|
Enabled bool
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2017-10-29 10:50:29 +00:00
|
|
|
//DisableTLS is enabled if we don't want self signed certs
|
|
|
|
DisableTLS bool
|
|
|
|
|
2017-05-20 19:52:03 +00:00
|
|
|
// DisableWebInterface allows to turn off serving the Web UI interface
|
|
|
|
DisableWebInterface bool
|
|
|
|
|
|
|
|
// DisableWebService turnes off serving web service completely, including web UI
|
|
|
|
DisableWebService bool
|
|
|
|
|
|
|
|
// DisableReverseTunnel disables reverse tunnel on the proxy
|
|
|
|
DisableReverseTunnel bool
|
2016-04-06 08:15:04 +00:00
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// ReverseTunnelListenAddr is address where reverse tunnel dialers connect to
|
2016-02-14 05:09:17 +00:00
|
|
|
ReverseTunnelListenAddr utils.NetAddr
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2018-01-06 00:20:56 +00:00
|
|
|
// EnableProxyProtocol enables proxy protocol support
|
|
|
|
EnableProxyProtocol bool
|
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// WebAddr is address for web portal of the proxy
|
2016-02-14 05:09:17 +00:00
|
|
|
WebAddr utils.NetAddr
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2015-11-02 21:02:34 +00:00
|
|
|
// SSHAddr is address of ssh proxy
|
2016-02-14 05:09:17 +00:00
|
|
|
SSHAddr utils.NetAddr
|
2015-10-31 01:17:37 +00:00
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// TLSKey is a base64 encoded private key used by web portal
|
2016-02-14 05:09:17 +00:00
|
|
|
TLSKey string
|
2015-10-26 02:30:42 +00:00
|
|
|
|
2015-10-24 23:04:13 +00:00
|
|
|
// TLSCert is a base64 encoded certificate used by web portal
|
2016-02-14 05:09:17 +00:00
|
|
|
TLSCert string
|
2015-12-02 18:51:32 +00:00
|
|
|
|
2016-02-14 05:09:17 +00:00
|
|
|
Limiter limiter.LimiterConfig
|
2017-03-17 01:22:27 +00:00
|
|
|
|
2018-08-29 22:54:35 +00:00
|
|
|
// PublicAddrs is a list of the public addresses the proxy advertises
|
|
|
|
// for the HTTP endpoint. The hosts in in PublicAddr are included in the
|
|
|
|
// list of host principals on the TLS and SSH certificate.
|
2018-05-02 22:45:31 +00:00
|
|
|
PublicAddrs []utils.NetAddr
|
2018-08-02 00:25:16 +00:00
|
|
|
|
2018-08-29 22:54:35 +00:00
|
|
|
// SSHPublicAddrs is a list of the public addresses the proxy advertises
|
|
|
|
// for the SSH endpoint. The hosts in in PublicAddr are included in the
|
|
|
|
// list of host principals on the TLS and SSH certificate.
|
|
|
|
SSHPublicAddrs []utils.NetAddr
|
|
|
|
|
Added support for nodes dialing back to cluster.
Updated services.ReverseTunnel to support type (proxy or node). For
proxy types, which represent trusted cluster connections, when a
services.ReverseTunnel is created, it's created on the remote side with
name /reverseTunnels/example.com. For node types, services.ReverseTunnel
is created on the main side as /reverseTunnels/{nodeUUID}.clusterName.
Updated services.TunnelConn to support type (proxy or node). For proxy
types, which represent trusted cluster connections, tunnel connections
are created on the main side under
/tunnelConnections/remote.example.com/{proxyUUID}-remote.example.com.
For nodes, tunnel connections are created on the main side under
/tunnelConnections/example.com/{proxyUUID}-example.com. This allows
searching for tunnel connections by cluster then allows easily creating
a set of proxies that are missing matching services.TunnelConn.
The reverse tunnel server has been updated to handle heartbeats from
proxies as well as nodes. Proxy heartbeat behavior has not changed.
Heartbeats from nodes now add remote connections to the matching local
site. In addition, the reverse tunnel server now proxies connection to
the Auth Server for requests that are already authenticated (a second
authentication to the Auth Server is required).
For registration, nodes try and connect to the Auth Server to fetch host
credentials. Upon failure, nodes now try and fallback to fetching host
credentials from the web proxy.
To establish a connection to an Auth Server, nodes first try and connect
directly, and if the connection fails, fallback to obtaining a
connection to the Auth Server through the reverse tunnel. If a
connection is established directly, node startup behavior has not
changed. If a node establishes a connection through the reverse tunnel,
it creates an AgentPool that attempts to dial back to the cluster and
establish a reverse tunnel.
When nodes heartbeat, they also heartbeat if they are connected directly
to the cluster or through a reverse tunnel. For nodes that are connected
through a reverse tunnel, the proxy subsystem now directs the reverse
tunnel server to establish a connection through the reverse tunnel
instead of directly.
When sending discovery requests, the domain field has been replaced with
tunnelID. The tunnelID field is either the cluster name (same as before)
for proxies, or {nodeUUID}.example.com for nodes.
2019-04-26 20:51:59 +00:00
|
|
|
// TunnelPublicAddrs is a list of the public addresses the proxy advertises
|
|
|
|
// for the tunnel endpoint. The hosts in in PublicAddr are included in the
|
|
|
|
// list of host principals on the TLS and SSH certificate.
|
|
|
|
TunnelPublicAddrs []utils.NetAddr
|
|
|
|
|
2018-08-02 00:25:16 +00:00
|
|
|
// Kube specifies kubernetes proxy configuration
|
|
|
|
Kube KubeProxyConfig
|
|
|
|
}
|
|
|
|
|
|
|
|
// KubeProxyConfig specifies configuration for proxy service
|
|
|
|
type KubeProxyConfig struct {
|
|
|
|
// Enabled turns kubernetes proxy role on or off for this process
|
|
|
|
Enabled bool
|
|
|
|
|
|
|
|
// ListenAddr is address where reverse tunnel dialers connect to
|
|
|
|
ListenAddr utils.NetAddr
|
|
|
|
|
|
|
|
// KubeAPIAddr is address of kubernetes API server
|
|
|
|
APIAddr utils.NetAddr
|
|
|
|
|
|
|
|
// ClusterOverride causes all traffic to go to a specific remote
|
|
|
|
// cluster, used only in tests
|
|
|
|
ClusterOverride string
|
|
|
|
|
|
|
|
// CACert is a PEM encoded kubernetes CA certificate
|
|
|
|
CACert []byte
|
|
|
|
|
|
|
|
// PublicAddrs is a list of the public addresses the Teleport Kube proxy can be accessed by,
|
|
|
|
// it also affects the host principals and routing logic
|
|
|
|
PublicAddrs []utils.NetAddr
|
2019-03-11 03:25:43 +00:00
|
|
|
|
|
|
|
// KubeconfigPath is a path to kubeconfig
|
|
|
|
KubeconfigPath string
|
2015-10-24 23:04:13 +00:00
|
|
|
}
|
|
|
|
|
2016-03-28 19:58:34 +00:00
|
|
|
// AuthConfig is a configuration of the auth server
|
2015-10-13 00:50:36 +00:00
|
|
|
type AuthConfig struct {
|
2015-10-24 23:04:13 +00:00
|
|
|
// Enabled turns auth role on or off for this process
|
2016-02-14 05:09:17 +00:00
|
|
|
Enabled bool
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2017-11-25 01:09:11 +00:00
|
|
|
// EnableProxyProtocol enables proxy protocol support
|
|
|
|
EnableProxyProtocol bool
|
|
|
|
|
2015-10-13 00:50:36 +00:00
|
|
|
// SSHAddr is the listening address of SSH tunnel to HTTP service
|
2016-02-14 05:09:17 +00:00
|
|
|
SSHAddr utils.NetAddr
|
2015-10-24 23:04:13 +00:00
|
|
|
|
2016-03-28 19:58:34 +00:00
|
|
|
// Authorities is a set of trusted certificate authorities
|
|
|
|
// that will be added by this auth server on the first start
|
|
|
|
Authorities []services.CertAuthority
|
2015-10-13 00:50:36 +00:00
|
|
|
|
2019-08-29 23:16:03 +00:00
|
|
|
// Resources is a set of previously backed up resources
|
|
|
|
// used to bootstrap backend state on the first start.
|
|
|
|
Resources []services.Resource
|
|
|
|
|
2016-12-30 22:47:52 +00:00
|
|
|
// Roles is a set of roles to pre-provision for this cluster
|
|
|
|
Roles []services.Role
|
|
|
|
|
2017-07-28 18:37:12 +00:00
|
|
|
// ClusterName is a name that identifies this authority and all
|
2016-03-12 04:09:40 +00:00
|
|
|
// host nodes in the cluster that will share this authority domain name
|
|
|
|
// as a base name, e.g. if authority domain name is example.com,
|
|
|
|
// all nodes in the cluster will have UUIDs in the form: <uuid>.example.com
|
2017-07-28 18:37:12 +00:00
|
|
|
ClusterName services.ClusterName
|
2016-03-12 04:09:40 +00:00
|
|
|
|
2016-05-12 07:44:25 +00:00
|
|
|
// StaticTokens are pre-defined host provisioning tokens supplied via config file for
|
|
|
|
// environments where paranoid security is not needed
|
2017-07-28 18:37:12 +00:00
|
|
|
StaticTokens services.StaticTokens
|
2016-05-12 07:44:25 +00:00
|
|
|
|
2017-03-01 01:38:31 +00:00
|
|
|
// StorageConfig contains configuration settings for the storage backend.
|
2017-01-16 00:27:19 +00:00
|
|
|
StorageConfig backend.Config
|
2015-12-02 18:51:32 +00:00
|
|
|
|
2016-02-14 05:09:17 +00:00
|
|
|
Limiter limiter.LimiterConfig
|
2016-09-06 05:12:57 +00:00
|
|
|
|
|
|
|
// NoAudit, when set to true, disables session recording and event audit
|
|
|
|
NoAudit bool
|
2016-10-14 06:51:16 +00:00
|
|
|
|
2017-02-14 02:29:27 +00:00
|
|
|
// Preference defines the authentication preference (type and second factor) for
|
|
|
|
// the auth server.
|
|
|
|
Preference services.AuthPreference
|
2017-11-22 01:35:58 +00:00
|
|
|
|
2017-11-29 00:15:46 +00:00
|
|
|
// ClusterConfig stores cluster level configuration.
|
|
|
|
ClusterConfig services.ClusterConfig
|
|
|
|
|
2017-11-22 01:35:58 +00:00
|
|
|
// LicenseFile is a full path to the license file
|
|
|
|
LicenseFile string
|
2018-05-02 22:45:31 +00:00
|
|
|
|
|
|
|
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
|
|
|
|
PublicAddrs []utils.NetAddr
|
2015-10-13 00:50:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// SSHConfig configures SSH server node role
|
|
|
|
type SSHConfig struct {
|
2017-05-26 19:28:46 +00:00
|
|
|
Enabled bool
|
|
|
|
Addr utils.NetAddr
|
|
|
|
Namespace string
|
|
|
|
Shell string
|
|
|
|
Limiter limiter.LimiterConfig
|
|
|
|
Labels map[string]string
|
|
|
|
CmdLabels services.CommandLabels
|
|
|
|
PermitUserEnvironment bool
|
2018-02-24 01:23:09 +00:00
|
|
|
|
|
|
|
// PAM holds PAM configuration for Teleport.
|
|
|
|
PAM *pam.Config
|
2018-05-02 22:45:31 +00:00
|
|
|
|
|
|
|
// PublicAddrs affects the SSH host principals and DNS names added to the SSH and TLS certs.
|
|
|
|
PublicAddrs []utils.NetAddr
|
2019-11-16 00:39:40 +00:00
|
|
|
|
|
|
|
// BPF holds BPF configuration for Teleport.
|
|
|
|
BPF *bpf.Config
|
2015-10-13 00:50:36 +00:00
|
|
|
}
|
|
|
|
|
2016-03-28 19:58:34 +00:00
|
|
|
// MakeDefaultConfig creates a new Config structure and populates it with defaults
|
2016-02-24 07:35:25 +00:00
|
|
|
func MakeDefaultConfig() (config *Config) {
|
2016-02-10 00:09:21 +00:00
|
|
|
config = &Config{}
|
2016-02-24 07:35:25 +00:00
|
|
|
ApplyDefaults(config)
|
|
|
|
return config
|
2016-02-10 00:09:21 +00:00
|
|
|
}
|
|
|
|
|
2016-02-17 19:58:28 +00:00
|
|
|
// ApplyDefaults applies default values to the existing config structure
|
2016-02-24 07:35:25 +00:00
|
|
|
func ApplyDefaults(cfg *Config) {
|
2018-05-08 20:30:37 +00:00
|
|
|
// Get defaults for Cipher, Kex algorithms, and MAC algorithms from
|
2017-06-10 02:32:31 +00:00
|
|
|
// golang.org/x/crypto/ssh default config.
|
|
|
|
var sc ssh.Config
|
|
|
|
sc.SetDefaults()
|
|
|
|
|
2018-05-08 20:30:37 +00:00
|
|
|
// Remove insecure and (borderline insecure) cryptographic primitives from
|
|
|
|
// default configuration. These can still be added back in file configuration by
|
|
|
|
// users, but not supported by default by Teleport. See #1856 for more
|
|
|
|
// details.
|
|
|
|
kex := utils.RemoveFromSlice(sc.KeyExchanges,
|
|
|
|
defaults.DiffieHellmanGroup1SHA1,
|
|
|
|
defaults.DiffieHellmanGroup14SHA1)
|
|
|
|
macs := utils.RemoveFromSlice(sc.MACs,
|
|
|
|
defaults.HMACSHA1,
|
|
|
|
defaults.HMACSHA196)
|
|
|
|
|
2016-02-10 00:09:21 +00:00
|
|
|
hostname, err := os.Hostname()
|
|
|
|
if err != nil {
|
2016-02-24 07:35:25 +00:00
|
|
|
hostname = "localhost"
|
2017-11-25 01:09:11 +00:00
|
|
|
log.Errorf("Failed to determine hostname: %v.", err)
|
2016-02-10 00:09:21 +00:00
|
|
|
}
|
|
|
|
|
2019-11-16 00:39:40 +00:00
|
|
|
// Global defaults.
|
2017-01-16 00:27:19 +00:00
|
|
|
cfg.Hostname = hostname
|
|
|
|
cfg.DataDir = defaults.DataDir
|
|
|
|
cfg.Console = os.Stdout
|
2018-06-08 23:50:43 +00:00
|
|
|
cfg.CipherSuites = utils.DefaultCipherSuites()
|
2017-06-10 02:32:31 +00:00
|
|
|
cfg.Ciphers = sc.Ciphers
|
2018-05-08 20:30:37 +00:00
|
|
|
cfg.KEXAlgorithms = kex
|
|
|
|
cfg.MACAlgorithms = macs
|
2017-01-16 00:27:19 +00:00
|
|
|
|
2019-11-16 00:39:40 +00:00
|
|
|
// Auth service defaults.
|
2016-02-10 00:09:21 +00:00
|
|
|
cfg.Auth.Enabled = true
|
|
|
|
cfg.Auth.SSHAddr = *defaults.AuthListenAddr()
|
2019-07-02 21:35:17 +00:00
|
|
|
cfg.Auth.StorageConfig.Type = lite.GetName()
|
2018-05-03 17:58:22 +00:00
|
|
|
cfg.Auth.StorageConfig.Params = backend.Params{defaults.BackendPath: filepath.Join(cfg.DataDir, defaults.BackendDir)}
|
2017-10-11 19:09:06 +00:00
|
|
|
cfg.Auth.StaticTokens = services.DefaultStaticTokens()
|
2017-10-31 18:03:29 +00:00
|
|
|
cfg.Auth.ClusterConfig = services.DefaultClusterConfig()
|
2016-02-10 00:09:21 +00:00
|
|
|
defaults.ConfigureLimiter(&cfg.Auth.Limiter)
|
2017-02-24 20:08:23 +00:00
|
|
|
// set new style default auth preferences
|
|
|
|
ap := &services.AuthPreferenceV2{}
|
|
|
|
ap.CheckAndSetDefaults()
|
|
|
|
cfg.Auth.Preference = ap
|
2017-11-22 01:35:58 +00:00
|
|
|
cfg.Auth.LicenseFile = filepath.Join(cfg.DataDir, defaults.LicenseFile)
|
2016-02-10 00:09:21 +00:00
|
|
|
|
2019-11-16 00:39:40 +00:00
|
|
|
// Proxy service defaults.
|
2016-02-10 00:09:21 +00:00
|
|
|
cfg.Proxy.Enabled = true
|
|
|
|
cfg.Proxy.SSHAddr = *defaults.ProxyListenAddr()
|
|
|
|
cfg.Proxy.WebAddr = *defaults.ProxyWebListenAddr()
|
2019-08-13 17:03:22 +00:00
|
|
|
cfg.Proxy.ReverseTunnelListenAddr = *defaults.ReverseTunnelListenAddr()
|
2016-02-10 00:09:21 +00:00
|
|
|
defaults.ConfigureLimiter(&cfg.Proxy.Limiter)
|
|
|
|
|
2019-11-16 00:39:40 +00:00
|
|
|
// Kubernetes proxy service defaults.
|
2018-08-02 00:25:16 +00:00
|
|
|
cfg.Proxy.Kube.Enabled = false
|
|
|
|
cfg.Proxy.Kube.ListenAddr = *defaults.KubeProxyListenAddr()
|
|
|
|
|
2019-11-16 00:39:40 +00:00
|
|
|
// SSH service defaults.
|
2016-02-10 00:09:21 +00:00
|
|
|
cfg.SSH.Enabled = true
|
2016-02-16 21:18:58 +00:00
|
|
|
cfg.SSH.Shell = defaults.DefaultShell
|
2016-02-10 00:09:21 +00:00
|
|
|
defaults.ConfigureLimiter(&cfg.SSH.Limiter)
|
2018-02-24 01:23:09 +00:00
|
|
|
cfg.SSH.PAM = &pam.Config{Enabled: false}
|
2019-11-16 00:39:40 +00:00
|
|
|
cfg.SSH.BPF = &bpf.Config{Enabled: false}
|
2016-02-10 00:09:21 +00:00
|
|
|
}
|
2019-03-12 22:30:44 +00:00
|
|
|
|
|
|
|
// ApplyFIPSDefaults updates default configuration to be FedRAMP/FIPS 140-2
|
|
|
|
// compliant.
|
|
|
|
func ApplyFIPSDefaults(cfg *Config) {
|
|
|
|
cfg.FIPS = true
|
|
|
|
|
|
|
|
// Update TLS and SSH cryptographic primitives.
|
|
|
|
cfg.CipherSuites = defaults.FIPSCipherSuites
|
|
|
|
cfg.Ciphers = defaults.FIPSCiphers
|
|
|
|
cfg.KEXAlgorithms = defaults.FIPSKEXAlgorithms
|
|
|
|
cfg.MACAlgorithms = defaults.FIPSMACAlgorithms
|
|
|
|
|
|
|
|
// Only SSO based authentication is supported in FIPS mode. The SSO
|
|
|
|
// provider is where any FedRAMP/FIPS 140-2 compliance (like password
|
|
|
|
// complexity) should be enforced.
|
|
|
|
cfg.Auth.ClusterConfig.SetLocalAuth(false)
|
|
|
|
|
|
|
|
// Update cluster configuration to record sessions at node, this way the
|
|
|
|
// entire cluster is FedRAMP/FIPS 140-2 compliant.
|
|
|
|
cfg.Auth.ClusterConfig.SetSessionRecording(services.RecordAtNode)
|
|
|
|
}
|