mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 01:03:40 +00:00
Improved behaviour of --insecure flag
`tsh` would sometimes ignore --insecure flag. To reproduce: - copy `/var/lib/teleport` from machine A to machine B - start Teleport on B Try to connect with `tsh --proxy=localhost --insecure`. It will fail because it would try to use local key pool (on machine B) which is not the same as on A. Instead, --insecure should ignore local keys and simply ignore certificate validation errors.
This commit is contained in:
parent
3ce3597415
commit
316f5f9003
2
Makefile
2
Makefile
|
@ -26,7 +26,7 @@ $(eval BUILDFLAGS := $(ADDFLAGS) -ldflags '-w -s')
|
|||
#
|
||||
.PHONY: all
|
||||
all: setver teleport tctl tsh assets
|
||||
sudo killall teleport
|
||||
#sudo killall teleport
|
||||
cp -f build.assets/release.mk $(BUILDDIR)/Makefile
|
||||
|
||||
.PHONY: tctl
|
||||
|
|
|
@ -241,7 +241,7 @@ func SSHAgentU2FLogin(proxyAddr, user, password string, pubKey []byte, ttl time.
|
|||
|
||||
// The origin URL is passed back base64-encoded and the keyHandle is passed back as is.
|
||||
// A very long proxy hostname or keyHandle can overflow a fixed-size buffer.
|
||||
signResponseLen := 500 + len(u2fSignRequest.Bytes()) + len(proxyAddr) * 4 / 3
|
||||
signResponseLen := 500 + len(u2fSignRequest.Bytes()) + len(proxyAddr)*4/3
|
||||
signResponseBuf := make([]byte, signResponseLen)
|
||||
signResponseLen, err = io.ReadFull(stdout, signResponseBuf)
|
||||
// unexpected EOF means we have read the data completely.
|
||||
|
@ -288,7 +288,11 @@ func SSHAgentU2FLogin(proxyAddr, user, password string, pubKey []byte, ttl time.
|
|||
return out, nil
|
||||
}
|
||||
|
||||
// initClient creates and initializes HTTPS client for talking to teleport proxy HTTPS
|
||||
// endpoint.
|
||||
func initClient(proxyAddr string, insecure bool, pool *x509.CertPool) (*webClient, *url.URL, error) {
|
||||
log.Debugf("HTTPS client init(insecure=%v)", insecure)
|
||||
|
||||
// validate proxyAddr:
|
||||
host, port, err := net.SplitHostPort(proxyAddr)
|
||||
if err != nil || host == "" || port == "" {
|
||||
|
@ -305,13 +309,13 @@ func initClient(proxyAddr string, insecure bool, pool *x509.CertPool) (*webClien
|
|||
|
||||
var opts []roundtrip.ClientParam
|
||||
|
||||
if pool != nil {
|
||||
// use custom set of trusted CAs
|
||||
opts = append(opts, roundtrip.HTTPClient(newClientWithPool(pool)))
|
||||
} else if insecure {
|
||||
if insecure {
|
||||
// skip https cert verification, oh no!
|
||||
fmt.Printf("WARNING: You are using insecure connection to SSH proxy %v\n", proxyAddr)
|
||||
opts = append(opts, roundtrip.HTTPClient(newInsecureClient()))
|
||||
} else if pool != nil {
|
||||
// use custom set of trusted CAs
|
||||
opts = append(opts, roundtrip.HTTPClient(newClientWithPool(pool)))
|
||||
}
|
||||
|
||||
clt, err := newWebClient(proxyAddr, opts...)
|
||||
|
|
Loading…
Reference in a new issue