2016-02-16 17:36:02 +00:00
|
|
|
package teleport
|
|
|
|
|
|
|
|
import (
|
2018-02-08 02:32:50 +00:00
|
|
|
"strings"
|
2016-02-16 17:36:02 +00:00
|
|
|
"time"
|
|
|
|
)
|
|
|
|
|
2017-03-02 19:50:35 +00:00
|
|
|
// WebAPIVersion is a current webapi version
|
|
|
|
const WebAPIVersion = "v1"
|
|
|
|
|
2016-02-16 17:36:02 +00:00
|
|
|
// ForeverTTL means that object TTL will not expire unless deleted
|
2016-03-11 01:03:01 +00:00
|
|
|
const ForeverTTL time.Duration = 0
|
|
|
|
|
2017-03-08 05:42:17 +00:00
|
|
|
const (
|
|
|
|
// SSHAuthSock is the environment variable pointing to the
|
|
|
|
// Unix socket the SSH agent is running on.
|
|
|
|
SSHAuthSock = "SSH_AUTH_SOCK"
|
|
|
|
// SSHAgentPID is the environment variable pointing to the agent
|
|
|
|
// process ID
|
|
|
|
SSHAgentPID = "SSH_AGENT_PID"
|
2017-04-07 00:16:28 +00:00
|
|
|
|
|
|
|
// SSHTeleportUser is the current Teleport user that is logged in.
|
|
|
|
SSHTeleportUser = "SSH_TELEPORT_USER"
|
|
|
|
|
|
|
|
// SSHSessionWebproxyAddr is the address the web proxy.
|
|
|
|
SSHSessionWebproxyAddr = "SSH_SESSION_WEBPROXY_ADDR"
|
|
|
|
|
|
|
|
// SSHTeleportClusterName is the name of the cluster this node belongs to.
|
|
|
|
SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME"
|
|
|
|
|
|
|
|
// SSHTeleportHostUUID is the UUID of the host.
|
|
|
|
SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID"
|
|
|
|
|
|
|
|
// SSHSessionID is the UUID of the current session.
|
|
|
|
SSHSessionID = "SSH_SESSION_ID"
|
2017-03-08 05:42:17 +00:00
|
|
|
)
|
2017-02-13 23:37:08 +00:00
|
|
|
|
2017-05-17 00:43:55 +00:00
|
|
|
const (
|
|
|
|
// HTTPSProxy is an environment variable pointing to a HTTPS proxy.
|
|
|
|
HTTPSProxy = "HTTPS_PROXY"
|
|
|
|
|
|
|
|
// HTTPProxy is an environment variable pointing to a HTTP proxy.
|
|
|
|
HTTPProxy = "HTTP_PROXY"
|
|
|
|
)
|
|
|
|
|
2017-02-10 22:46:26 +00:00
|
|
|
const (
|
2017-02-13 23:37:08 +00:00
|
|
|
// TOTPValidityPeriod is the number of seconds a TOTP token is valid.
|
|
|
|
TOTPValidityPeriod uint = 30
|
|
|
|
|
|
|
|
// TOTPSkew adds that many periods before and after to the validity window.
|
|
|
|
TOTPSkew uint = 1
|
2017-02-10 22:46:26 +00:00
|
|
|
)
|
|
|
|
|
2016-03-11 01:03:01 +00:00
|
|
|
const (
|
2017-11-25 01:09:11 +00:00
|
|
|
// ComponentAuthority is a TLS and an SSH certificate authority
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentAuthority = "ca"
|
2017-11-25 01:09:11 +00:00
|
|
|
|
|
|
|
// ComponentProcess is a main control process
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentProcess = "proc"
|
2017-11-25 01:09:11 +00:00
|
|
|
|
2017-10-06 22:38:15 +00:00
|
|
|
// ComponentReverseTunnelServer is reverse tunnel server
|
|
|
|
// that together with agent establish a bi-directional SSH revers tunnel
|
2016-03-16 02:57:02 +00:00
|
|
|
// to bypass firewall restrictions
|
2017-10-06 22:38:15 +00:00
|
|
|
ComponentReverseTunnelServer = "proxy:server"
|
2016-03-16 02:57:02 +00:00
|
|
|
|
2017-10-06 22:38:15 +00:00
|
|
|
// ComponentReverseTunnel is reverse tunnel agent
|
|
|
|
// that together with server establish a bi-directional SSH revers tunnel
|
2016-03-16 02:57:02 +00:00
|
|
|
// to bypass firewall restrictions
|
2017-10-06 22:38:15 +00:00
|
|
|
ComponentReverseTunnelAgent = "proxy:agent"
|
2016-03-16 02:57:02 +00:00
|
|
|
|
2018-05-19 23:58:14 +00:00
|
|
|
// ComponentKube is a kubernetes proxy
|
|
|
|
ComponentKube = "proxy:kube"
|
|
|
|
|
2016-09-02 23:04:05 +00:00
|
|
|
// ComponentAuth is the cluster CA node (auth server API)
|
|
|
|
ComponentAuth = "auth"
|
|
|
|
|
2016-03-16 02:57:02 +00:00
|
|
|
// ComponentNode is SSH node (SSH server serving requests)
|
|
|
|
ComponentNode = "node"
|
|
|
|
|
2017-11-29 00:15:46 +00:00
|
|
|
// ComponentNode is SSH node (SSH server serving requests)
|
|
|
|
ComponentForwardingNode = "node:forward"
|
|
|
|
|
2016-03-16 02:57:02 +00:00
|
|
|
// ComponentProxy is SSH proxy (SSH server forwarding connections)
|
|
|
|
ComponentProxy = "proxy"
|
|
|
|
|
2018-02-08 02:32:50 +00:00
|
|
|
// ComponentDiagnostic is a diagnostic service
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentDiagnostic = "diag"
|
2018-02-08 02:32:50 +00:00
|
|
|
|
2018-03-18 02:47:06 +00:00
|
|
|
// ComponentClient is a client
|
|
|
|
ComponentClient = "client"
|
|
|
|
|
2016-03-16 02:57:02 +00:00
|
|
|
// ComponentTunClient is a tunnel client
|
2017-10-08 01:11:03 +00:00
|
|
|
ComponentTunClient = "client:tunnel"
|
|
|
|
|
|
|
|
// ComponentCachingClient is a caching auth client
|
|
|
|
ComponentCachingClient = "client:cache"
|
2016-03-16 02:57:02 +00:00
|
|
|
|
2017-11-09 00:41:52 +00:00
|
|
|
// ComponentSubsystemProxy is the proxy subsystem.
|
|
|
|
ComponentSubsystemProxy = "subsystem:proxy"
|
|
|
|
|
2017-11-29 00:15:46 +00:00
|
|
|
// ComponentLocalTerm is a terminal on a regular SSH node.
|
|
|
|
ComponentLocalTerm = "term:local"
|
|
|
|
|
|
|
|
// ComponentRemoteTerm is a terminal on a forwarding SSH node.
|
|
|
|
ComponentRemoteTerm = "term:remote"
|
|
|
|
|
|
|
|
// ComponentRemoteSubsystem is subsystem on a forwarding SSH node.
|
|
|
|
ComponentRemoteSubsystem = "subsystem:remote"
|
|
|
|
|
2017-11-16 02:26:35 +00:00
|
|
|
// ComponentAuditLog is audit log component
|
2018-04-08 21:37:33 +00:00
|
|
|
ComponentAuditLog = "audit"
|
2017-11-16 02:26:35 +00:00
|
|
|
|
2018-01-19 02:30:02 +00:00
|
|
|
// ComponentKeyAgent is an agent that has loaded the sessions keys and
|
|
|
|
// certificates for a user connected to a proxy.
|
|
|
|
ComponentKeyAgent = "keyagent"
|
|
|
|
|
|
|
|
// ComponentKeyStore is all sessions keys and certificates a user has on disk
|
|
|
|
// for all proxies.
|
|
|
|
ComponentKeyStore = "keystore"
|
|
|
|
|
2018-02-09 00:33:48 +00:00
|
|
|
// ComponentConnectProxy is the HTTP CONNECT proxy used to tunnel connection.
|
|
|
|
ComponentConnectProxy = "http:proxy"
|
|
|
|
|
2018-02-14 22:55:01 +00:00
|
|
|
// ComponentKeyGen is the public/private keypair generator.
|
|
|
|
ComponentKeyGen = "keygen"
|
|
|
|
|
2018-02-20 01:59:08 +00:00
|
|
|
// ComponentSession is an active session.
|
|
|
|
ComponentSession = "session"
|
|
|
|
|
2018-03-04 02:26:44 +00:00
|
|
|
// ComponentDynamoDB represents dynamodb clients
|
|
|
|
ComponentDynamoDB = "dynamodb"
|
|
|
|
|
2018-02-24 01:23:09 +00:00
|
|
|
// Component pluggable authentication module (PAM)
|
|
|
|
ComponentPAM = "pam"
|
|
|
|
|
2018-03-29 20:47:53 +00:00
|
|
|
// ComponentUpload is a session recording upload server
|
|
|
|
ComponentUpload = "upload"
|
|
|
|
|
2016-12-26 06:12:23 +00:00
|
|
|
// DebugEnvVar tells tests to use verbose debug output
|
|
|
|
DebugEnvVar = "DEBUG"
|
|
|
|
|
|
|
|
// VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level)
|
|
|
|
VerboseLogsEnvVar = "TELEPORT_DEBUG"
|
2016-09-10 04:44:04 +00:00
|
|
|
|
|
|
|
// DefaultTerminalWidth defines the default width of a server-side allocated
|
|
|
|
// pseudo TTY
|
|
|
|
DefaultTerminalWidth = 80
|
|
|
|
|
|
|
|
// DefaultTerminalHeight defines the default height of a server-side allocated
|
|
|
|
// pseudo TTY
|
|
|
|
DefaultTerminalHeight = 25
|
|
|
|
|
|
|
|
// SafeTerminalType is the fall-back TTY type to fall back to (when $TERM
|
|
|
|
// is not defined)
|
|
|
|
SafeTerminalType = "xterm"
|
2016-12-24 03:02:59 +00:00
|
|
|
|
|
|
|
// ConnectorOIDC means connector type OIDC
|
|
|
|
ConnectorOIDC = "oidc"
|
2017-01-13 00:04:00 +00:00
|
|
|
|
2017-05-05 22:53:05 +00:00
|
|
|
// ConnectorSAML means connector type SAML
|
2017-12-15 01:19:57 +00:00
|
|
|
ConnectorSAML = "saml"
|
2017-05-05 22:53:05 +00:00
|
|
|
|
2017-12-14 21:41:38 +00:00
|
|
|
// ConnectorGithub means connector type Github
|
|
|
|
ConnectorGithub = "github"
|
|
|
|
|
2017-01-13 00:04:00 +00:00
|
|
|
// DataDirParameterName is the name of the data dir configuration parameter passed
|
|
|
|
// to all backends during initialization
|
|
|
|
DataDirParameterName = "data_dir"
|
2017-01-17 19:24:17 +00:00
|
|
|
|
2017-01-30 19:31:37 +00:00
|
|
|
// SSH request type to keep the connection alive. A client and a server keep
|
|
|
|
// pining each other with it:
|
|
|
|
KeepAliveReqType = "keepalive@openssh.com"
|
|
|
|
|
2017-11-13 22:55:21 +00:00
|
|
|
// RecordingProxyReqType is the name of a global request which returns if
|
|
|
|
// the proxy is recording sessions or not.
|
|
|
|
RecordingProxyReqType = "recording-proxy@teleport.com"
|
|
|
|
|
2017-02-14 02:29:27 +00:00
|
|
|
// OTP means One-time Password Algorithm for Two-Factor Authentication.
|
2017-01-17 19:24:17 +00:00
|
|
|
OTP = "otp"
|
|
|
|
|
2017-02-14 02:29:27 +00:00
|
|
|
// TOTP means Time-based One-time Password Algorithm. for Two-Factor Authentication.
|
2017-01-17 19:24:17 +00:00
|
|
|
TOTP = "totp"
|
|
|
|
|
2017-02-14 02:29:27 +00:00
|
|
|
// HOTP means HMAC-based One-time Password Algorithm.for Two-Factor Authentication.
|
2017-01-23 03:55:54 +00:00
|
|
|
HOTP = "hotp"
|
2017-01-17 19:24:17 +00:00
|
|
|
|
2017-02-14 02:29:27 +00:00
|
|
|
// U2F means Universal 2nd Factor.for Two-Factor Authentication.
|
2017-01-17 19:24:17 +00:00
|
|
|
U2F = "u2f"
|
|
|
|
|
2017-02-14 02:29:27 +00:00
|
|
|
// OFF means no second factor.for Two-Factor Authentication.
|
|
|
|
OFF = "off"
|
|
|
|
|
|
|
|
// Local means authentication will happen locally within the Teleport cluster.
|
|
|
|
Local = "local"
|
|
|
|
|
2017-12-14 21:41:38 +00:00
|
|
|
// OIDC means authentication will happen remotely using an OIDC connector.
|
2017-12-15 01:19:57 +00:00
|
|
|
OIDC = ConnectorOIDC
|
2017-05-05 22:53:05 +00:00
|
|
|
|
2017-12-14 21:41:38 +00:00
|
|
|
// SAML means authentication will happen remotely using a SAML connector.
|
2017-12-15 01:19:57 +00:00
|
|
|
SAML = ConnectorSAML
|
2017-08-25 03:24:47 +00:00
|
|
|
|
2017-12-14 21:41:38 +00:00
|
|
|
// Github means authentication will happen remotely using a Github connector.
|
2017-12-15 01:19:57 +00:00
|
|
|
Github = ConnectorGithub
|
2017-12-14 21:41:38 +00:00
|
|
|
|
2017-08-25 03:24:47 +00:00
|
|
|
// JSON means JSON serialization format
|
|
|
|
JSON = "json"
|
2017-11-18 00:40:41 +00:00
|
|
|
|
|
|
|
// LinuxAdminGID is the ID of the standard adm group on linux
|
|
|
|
LinuxAdminGID = 4
|
|
|
|
|
|
|
|
// LinuxOS is the name of the linux OS
|
|
|
|
LinuxOS = "linux"
|
|
|
|
|
|
|
|
// DirMaskSharedGroup is the mask for a directory accessible
|
|
|
|
// by the owner and group
|
|
|
|
DirMaskSharedGroup = 0770
|
2017-11-25 01:09:11 +00:00
|
|
|
|
|
|
|
// FileMaskOwnerOnly is the file mask that allows read write access
|
|
|
|
// to owers only
|
|
|
|
FileMaskOwnerOnly = 0600
|
|
|
|
|
|
|
|
// On means mode is on
|
|
|
|
On = "on"
|
|
|
|
|
|
|
|
// Off means mode is off
|
|
|
|
Off = "off"
|
2018-03-04 02:26:44 +00:00
|
|
|
|
|
|
|
// SchemeS3 is S3 file scheme, means upload or download to S3 like object
|
|
|
|
// storage
|
|
|
|
SchemeS3 = "s3"
|
|
|
|
|
|
|
|
// SchemeFile is a local disk file storage
|
|
|
|
SchemeFile = "file"
|
|
|
|
|
|
|
|
// LogsDir is a log subdirectory for events and logs
|
|
|
|
LogsDir = "log"
|
2018-04-03 22:41:12 +00:00
|
|
|
|
|
|
|
// Syslog is a mode for syslog logging
|
|
|
|
Syslog = "syslog"
|
2018-04-08 21:37:33 +00:00
|
|
|
|
|
|
|
// HumanDateFormat is a human readable date formatting
|
|
|
|
HumanDateFormat = "Jan _2 15:04 UTC"
|
|
|
|
|
|
|
|
// HumanDateFormatSeconds is a human readable date formatting with seconds
|
|
|
|
HumanDateFormatSeconds = "Jan _2 15:04:05 UTC"
|
|
|
|
|
|
|
|
// HumanDateFormatMilli is a human readable date formatting with milliseconds
|
|
|
|
HumanDateFormatMilli = "Jan _2 15:04:05.000 UTC"
|
2016-03-14 21:07:45 +00:00
|
|
|
)
|
2017-03-21 20:56:05 +00:00
|
|
|
|
2018-02-08 02:32:50 +00:00
|
|
|
// Component generates "component:subcomponent1:subcomponent2" strings used
|
|
|
|
// in debugging
|
|
|
|
func Component(components ...string) string {
|
|
|
|
return strings.Join(components, ":")
|
|
|
|
}
|
|
|
|
|
2017-04-05 21:43:42 +00:00
|
|
|
const (
|
|
|
|
// AuthorizedKeys are public keys that check against User CAs.
|
|
|
|
AuthorizedKeys = "authorized_keys"
|
|
|
|
// KnownHosts are public keys that check against Host CAs.
|
|
|
|
KnownHosts = "known_hosts"
|
|
|
|
)
|
|
|
|
|
2017-03-21 20:56:05 +00:00
|
|
|
const (
|
|
|
|
// CertExtensionPermitAgentForwarding allows agent forwarding for certificate
|
|
|
|
CertExtensionPermitAgentForwarding = "permit-agent-forwarding"
|
|
|
|
// CertExtensionPermitPTY allows user to request PTY
|
|
|
|
CertExtensionPermitPTY = "permit-pty"
|
|
|
|
// CertExtensionPermitPortForwarding allows user to request port forwarding
|
|
|
|
CertExtensionPermitPortForwarding = "permit-port-forwarding"
|
2017-05-17 17:36:25 +00:00
|
|
|
// CertExtensionTeleportRoles is used to propagate teleport roles
|
|
|
|
CertExtensionTeleportRoles = "teleport-roles"
|
2017-03-21 20:56:05 +00:00
|
|
|
)
|
2017-04-13 00:04:51 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// NetIQ is an identity provider.
|
|
|
|
NetIQ = "netiq"
|
2017-05-12 19:14:44 +00:00
|
|
|
// ADFS is Microsoft Active Directory Federation Services
|
|
|
|
ADFS = "adfs"
|
2017-04-13 00:04:51 +00:00
|
|
|
)
|
2017-04-25 21:57:48 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// RemoteCommandSuccess is returned when a command has successfully executed.
|
|
|
|
RemoteCommandSuccess = 0
|
|
|
|
// RemoteCommandFailure is returned when a command has failed to execute and
|
|
|
|
// we don't have another status code for it.
|
|
|
|
RemoteCommandFailure = 255
|
|
|
|
)
|
2017-05-26 19:28:46 +00:00
|
|
|
|
|
|
|
// MaxEnvironmentFileLines is the maximum number of lines in a environment file.
|
|
|
|
const MaxEnvironmentFileLines = 1000
|
2017-06-20 00:20:21 +00:00
|
|
|
|
|
|
|
const (
|
2018-01-06 02:28:31 +00:00
|
|
|
// CertificateFormatOldSSH is used to make Teleport interoperate with older
|
2017-06-20 00:20:21 +00:00
|
|
|
// versions of OpenSSH.
|
2018-01-06 02:28:31 +00:00
|
|
|
CertificateFormatOldSSH = "oldssh"
|
2017-06-20 00:20:21 +00:00
|
|
|
|
2018-01-06 02:28:31 +00:00
|
|
|
// CertificateFormatStandard is used for normal Teleport operation without any
|
2017-06-20 00:20:21 +00:00
|
|
|
// compatibility modes.
|
2018-01-06 02:28:31 +00:00
|
|
|
CertificateFormatStandard = "standard"
|
|
|
|
|
|
|
|
// CertificateFormatUnspecified is used to check if the format was specified
|
|
|
|
// or not.
|
|
|
|
CertificateFormatUnspecified = ""
|
2017-06-20 00:20:21 +00:00
|
|
|
)
|
2017-07-24 22:18:46 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// TraitInternalPrefix is the role variable prefix that indicates it's for
|
|
|
|
// local accounts.
|
|
|
|
TraitInternalPrefix = "internal"
|
|
|
|
|
|
|
|
// TraitLogins is the name the role variable used to store
|
|
|
|
// allowed logins.
|
|
|
|
TraitLogins = "logins"
|
|
|
|
|
|
|
|
// TraitInternalRoleVariable is the role variable used to store allowed
|
|
|
|
// logins for local accounts.
|
|
|
|
TraitInternalRoleVariable = "{{internal.logins}}"
|
|
|
|
)
|
|
|
|
|
2017-11-29 00:15:46 +00:00
|
|
|
// SCP is Secure Copy.
|
|
|
|
const SCP = "scp"
|
|
|
|
|
2017-09-08 00:35:05 +00:00
|
|
|
// Root is *nix system administrator account name.
|
|
|
|
const Root = "root"
|
|
|
|
|
2017-09-05 19:20:57 +00:00
|
|
|
// DefaultRole is the name of the default admin role for all local users if
|
2017-07-24 22:18:46 +00:00
|
|
|
// another role is not explicitly assigned (Enterprise only).
|
2017-09-05 19:20:57 +00:00
|
|
|
const AdminRoleName = "admin"
|
2017-08-16 00:27:51 +00:00
|
|
|
|
|
|
|
// DefaultImplicitRole is implicit role that gets added to all service.RoleSet
|
|
|
|
// objects.
|
|
|
|
const DefaultImplicitRole = "default-implicit-role"
|
2017-11-25 01:09:11 +00:00
|
|
|
|
|
|
|
// APIDomain is a default domain name for Auth server API
|
|
|
|
const APIDomain = "teleport.cluster.local"
|
2017-12-28 02:51:46 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// RemoteClusterStatusOffline indicates that cluster is considered as
|
|
|
|
// offline, since it has missed a series of heartbeats
|
|
|
|
RemoteClusterStatusOffline = "offline"
|
|
|
|
// RemoteClusterStatusOnline indicates that cluster is sending heartbeats
|
|
|
|
// at expected interval
|
|
|
|
RemoteClusterStatusOnline = "online"
|
|
|
|
)
|
2018-01-22 20:25:11 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// SharedDirMode is a mode for a directory shared with group
|
|
|
|
SharedDirMode = 0750
|
2018-05-19 23:58:14 +00:00
|
|
|
|
|
|
|
// PrivateDirMode is a mode for private directories
|
|
|
|
PrivateDirMode = 0700
|
2018-01-22 20:25:11 +00:00
|
|
|
)
|
2018-05-04 00:36:08 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// SessionEvent is sent by servers to clients when an audit event occurs on
|
|
|
|
// the session.
|
|
|
|
SessionEvent = "x-teleport-event"
|
|
|
|
)
|
2018-05-19 23:58:14 +00:00
|
|
|
|
|
|
|
const (
|
|
|
|
// EnvKubeConfig is environment variable for kubeconfig
|
|
|
|
EnvKubeConfig = "KUBECONFIG"
|
|
|
|
|
|
|
|
// KubeConfigDir is a default directory where k8s stores its user local config
|
|
|
|
KubeConfigDir = ".kube"
|
|
|
|
|
|
|
|
// KubeConfigFile is a default filename where k8s stores its user local config
|
|
|
|
KubeConfigFile = "config"
|
|
|
|
|
|
|
|
// EnvHome is home environment variable
|
|
|
|
EnvHome = "HOME"
|
|
|
|
|
|
|
|
// KubeServiceAddr is an address for kubernetes endpoint service
|
|
|
|
KubeServiceAddr = "kubernetes.default.svc.cluster.local:443"
|
|
|
|
|
|
|
|
// KubeCAPath is a hardcode of mounted CA inside every pod of K8s
|
|
|
|
KubeCAPath = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
|
|
|
|
|
|
|
|
// KubeKindCSR is a certificate signing requests
|
|
|
|
KubeKindCSR = "CertificateSigningRequest"
|
|
|
|
|
|
|
|
// KubeMetadataNameSelector is a selector for name metadata in API requests
|
|
|
|
KubeMetadataNameSelector = "metadata.name"
|
|
|
|
)
|