self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-20 01:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Improved behaviour of --insecure flag

Browse source 
`tsh` would sometimes ignore --insecure flag. To reproduce:

- copy `/var/lib/teleport` from machine A to machine B
- start Teleport on B

Try to connect with `tsh --proxy=localhost --insecure`. It will fail
because it would try to use local key pool (on machine B) which is not
the same as on A. Instead, --insecure should ignore local keys and
simply ignore certificate validation errors.
This commit is contained in:
Ev Kontsevoy 2016-12-18 13:30:54 -08:00
parent 3ce3597415
commit 316f5f9003
2 changed files with 10 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Makefile
View file

@ -26,7 +26,7 @@ $(eval BUILDFLAGS := $(ADDFLAGS) -ldflags '-w -s')
#
.PHONY: all
all: setver teleport tctl tsh assets
sudo killall teleport
#sudo killall teleport
cp -f build.assets/release.mk $(BUILDDIR)/Makefile
.PHONY: tctl

14
lib/web/sshlogin.go
View file

@ -241,7 +241,7 @@ func SSHAgentU2FLogin(proxyAddr, user, password string, pubKey []byte, ttl time.
// The origin URL is passed back base64-encoded and the keyHandle is passed back as is.
// A very long proxy hostname or keyHandle can overflow a fixed-size buffer.
signResponseLen := 500 + len(u2fSignRequest.Bytes()) + len(proxyAddr) * 4 / 3
signResponseLen := 500 + len(u2fSignRequest.Bytes()) + len(proxyAddr)*4/3
signResponseBuf := make([]byte, signResponseLen)
signResponseLen, err = io.ReadFull(stdout, signResponseBuf)
// unexpected EOF means we have read the data completely.
@ -288,7 +288,11 @@ func SSHAgentU2FLogin(proxyAddr, user, password string, pubKey []byte, ttl time.
return out, nil
}
// initClient creates and initializes HTTPS client for talking to teleport proxy HTTPS
// endpoint.
func initClient(proxyAddr string, insecure bool, pool *x509.CertPool) (*webClient, *url.URL, error) {
log.Debugf("HTTPS client init(insecure=%v)", insecure)
// validate proxyAddr:
host, port, err := net.SplitHostPort(proxyAddr)
if err != nil || host == "" || port == "" {
@ -305,13 +309,13 @@ func initClient(proxyAddr string, insecure bool, pool *x509.CertPool) (*webClien
var opts []roundtrip.ClientParam
if pool != nil {
// use custom set of trusted CAs
opts = append(opts, roundtrip.HTTPClient(newClientWithPool(pool)))
} else if insecure {
if insecure {
// skip https cert verification, oh no!
fmt.Printf("WARNING: You are using insecure connection to SSH proxy %v\n", proxyAddr)
opts = append(opts, roundtrip.HTTPClient(newInsecureClient()))
} else if pool != nil {
// use custom set of trusted CAs
opts = append(opts, roundtrip.HTTPClient(newClientWithPool(pool)))
}
clt, err := newWebClient(proxyAddr, opts...)