mirror of
https://github.com/gravitational/teleport
synced 2024-10-21 17:53:28 +00:00
Forbids use of --insecure in FIPS mode (#6191)
Forbids the use of the `--insecure` mode when FIPS mode is enabled in teleport Disables the `--insecure` tsh command line option when built with FIPS support See-Also: #5073
This commit is contained in:
parent
84a7230e6e
commit
4284fc3586
|
@ -19,7 +19,9 @@ limitations under the License.
|
|||
package modules
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"fmt"
|
||||
"reflect"
|
||||
"runtime"
|
||||
"sync"
|
||||
|
||||
|
@ -116,9 +118,12 @@ func (p *defaultModules) Features() Features {
|
|||
}
|
||||
}
|
||||
|
||||
// IsBoringBinary checks if the binary was compiled with BoringCrypto.
|
||||
func (p *defaultModules) IsBoringBinary() bool {
|
||||
return false
|
||||
// Check the package name for one of the boring primitives, if the package
|
||||
// path is from BoringCrypto, we know this binary was compiled against the
|
||||
// dev.boringcrypto branch of Go.
|
||||
hash := sha256.New()
|
||||
return reflect.TypeOf(hash).Elem().PkgPath() == "crypto/internal/boring"
|
||||
}
|
||||
|
||||
var (
|
||||
|
|
|
@ -189,8 +189,12 @@ func Run(options Options) (executedCommand string, conf *service.Config) {
|
|||
// Create default configuration.
|
||||
conf = service.MakeDefaultConfig()
|
||||
|
||||
// If FIPS mode is specified update defaults to be FIPS appropriate.
|
||||
// If FIPS mode is specified update defaults to be FIPS appropriate and
|
||||
// cross-validate the current config.
|
||||
if ccf.FIPS {
|
||||
if ccf.InsecureMode {
|
||||
utils.FatalError(trace.BadParameter("--insecure not allowed in FIPS mode"))
|
||||
}
|
||||
service.ApplyFIPSDefaults(conf)
|
||||
}
|
||||
|
||||
|
|
|
@ -49,6 +49,7 @@ import (
|
|||
"github.com/gravitational/teleport/lib/defaults"
|
||||
"github.com/gravitational/teleport/lib/events"
|
||||
"github.com/gravitational/teleport/lib/kube/kubeconfig"
|
||||
"github.com/gravitational/teleport/lib/modules"
|
||||
"github.com/gravitational/teleport/lib/services"
|
||||
"github.com/gravitational/teleport/lib/session"
|
||||
"github.com/gravitational/teleport/lib/sshutils"
|
||||
|
@ -284,6 +285,8 @@ func Run(args []string, opts ...cliOption) error {
|
|||
var cf CLIConf
|
||||
utils.InitLogger(utils.LoggingForCLI, logrus.WarnLevel)
|
||||
|
||||
moduleCfg := modules.GetModules()
|
||||
|
||||
// configure CLI argument parser:
|
||||
app := utils.InitCLIParser("tsh", "TSH: Teleport Authentication Gateway Client").Interspersed(false)
|
||||
app.Flag("login", "Remote host login").Short('l').Envar(loginEnvVar).StringVar(&cf.NodeLogin)
|
||||
|
@ -299,7 +302,14 @@ func Run(args []string, opts ...cliOption) error {
|
|||
app.Flag("identity", "Identity file").Short('i').StringVar(&cf.IdentityFileIn)
|
||||
app.Flag("compat", "OpenSSH compatibility flag").Hidden().StringVar(&cf.Compatibility)
|
||||
app.Flag("cert-format", "SSH certificate format").StringVar(&cf.CertificateFormat)
|
||||
app.Flag("insecure", "Do not verify server's certificate and host name. Use only in test environments").Default("false").BoolVar(&cf.InsecureSkipVerify)
|
||||
|
||||
if !moduleCfg.IsBoringBinary() {
|
||||
// The user is *never* allowed to do this in FIPS mode.
|
||||
app.Flag("insecure", "Do not verify server's certificate and host name. Use only in test environments").
|
||||
Default("false").
|
||||
BoolVar(&cf.InsecureSkipVerify)
|
||||
}
|
||||
|
||||
app.Flag("auth", "Specify the type of authentication connector to use.").Envar(authEnvVar).StringVar(&cf.AuthConnector)
|
||||
app.Flag("namespace", "Namespace of the cluster").Default(defaults.Namespace).Hidden().StringVar(&cf.Namespace)
|
||||
app.Flag("gops", "Start gops endpoint on a given address").Hidden().BoolVar(&cf.Gops)
|
||||
|
|
Loading…
Reference in a new issue