Merge pull request #9 from gravitational/alexander/token

better workflow and fixes for auth tokens

Makefile

@@ -54,24 +54,25 @@ cover-package-with-etcd: remove-temp-files
 
 run-auth:
 	go install github.com/gravitational/teleport/teleport
+	rm -f /tmp/teleport.auth.sock
 	teleport -auth\
              -authBackend=etcd\
              -authBackendConfig='{"nodes": ["${ETCD_NODE1}"], "key": "/teleport"}'\
              -authDomain=gravitational.io\
-             -authHTTPAddr=tcp://localhost:8080\
              -log=console\
              -logSeverity=INFO\
              -dataDir=/tmp\
              -fqdn=auth.gravitational.io
 run-ssh:
 	go install github.com/gravitational/teleport/teleport
+	tctl token generate --output=/tmp/token -fqdn=node1.gravitational.io
 	teleport -ssh\
              -log=console\
              -logSeverity=INFO\
              -dataDir=/tmp\
              -fqdn=node1.gravitational.io\
-             -authServer=tcp://auth.gravitational.io:33001\
-             -sshToken=token
+             -sshToken=/tmp/token\
+             -authServer=tcp://auth.gravitational.io:33000
 
 run-cp: install-assets
 	go install github.com/gravitational/teleport/teleport
@@ -81,7 +82,7 @@ run-cp: install-assets
              -logSeverity=INFO\
              -dataDir=/tmp\
              -fqdn=node2.gravitational.io\
-             -authServer=tcp://auth.gravitational.io:33001
+             -authServer=tcp://auth.gravitational.io:33000
 
 profile:
 	go tool pprof http://localhost:6060/debug/pprof/profile

auth/register.go

@@ -5,6 +5,8 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"io/ioutil"
+	"strings"
 
 	"github.com/gravitational/teleport/utils"
 
@@ -12,7 +14,11 @@ import (
 )
 
 func Register(fqdn, dataDir, token string, servers []utils.NetAddr) error {
-	method, err := NewTokenAuth(fqdn, token)
+	tok, err := readToken(token)
+	if err != nil {
+		return err
+	}
+	method, err := NewTokenAuth(fqdn, tok)
 	if err != nil {
 		return err
 	}
@@ -43,6 +49,18 @@ func Register(fqdn, dataDir, token string, servers []utils.NetAddr) error {
 	return writeKeys(fqdn, dataDir, keys.Key, keys.Cert)
 }
 
+func readToken(token string) (string, error) {
+	if !strings.HasPrefix(token, "/") {
+		return token, nil
+	}
+	// treat it as a file
+	out, err := ioutil.ReadFile(token)
+	if err != nil {
+		return "", nil
+	}
+	return string(out), nil
+}
+
 type PackedKeys struct {
 	Key  []byte `json:"key"`
 	Cert []byte `json:"cert"`

auth/tun.go

@@ -334,7 +334,9 @@ func (s *TunServer) passwordAuth(
 		return perms, nil
 	case "provision-token":
 		if err := s.a.ValidateToken(string(ab.Pass), ab.User); err != nil {
-			log.Errorf("%v token validation error: %v", ab.User, err)
+			err := fmt.Errorf("%v token validation error: %v", ab.User, err)
+			log.Errorf("%v", err)
+			return nil, err
 		}
 		perms := &ssh.Permissions{
 			Extensions: map[string]string{

service/service.go

@@ -181,7 +181,7 @@ func initSSHEndpoint(t *TeleportService, cfg Config) error {
 
 func initSSHRegister(t *TeleportService, cfg Config) error {
 	t.RegisterFunc(func() error {
-		log.Infof("teleport:ssh connecting to auth servers")
+		log.Infof("teleport:ssh connecting to auth servers %v", cfg.SSH.Token)
 		if err := auth.Register(
 			cfg.FQDN, cfg.DataDir, cfg.SSH.Token, cfg.AuthServers); err != nil {
 			log.Errorf("teleport:ssh register failed: %v", err)

tctl/command/token.go

@@ -2,6 +2,7 @@ package command
 
 import (
 	"fmt"
+	"io/ioutil"
 	"time"
 
 	"github.com/gravitational/teleport/Godeps/_workspace/src/github.com/codegangsta/cli"
@@ -18,6 +19,7 @@ func newTokenCommand(c *Command) cli.Command {
 				Flags: []cli.Flag{
 					cli.StringFlag{Name: "fqdn", Usage: "FQDN of the server"},
 					cli.DurationFlag{Name: "ttl", Value: 120 * time.Second, Usage: "TTL"},
+					cli.StringFlag{Name: "output", Usage: "Optional output file"},
 				},
 				Action: c.generateToken,
 			},
@@ -26,11 +28,17 @@ func newTokenCommand(c *Command) cli.Command {
 }
 
 func (cmd *Command) generateToken(c *cli.Context) {
-	token, err := cmd.client.GenerateToken(
-		c.String("fqdn"), c.Duration("ttl"))
+	token, err := cmd.client.GenerateToken(c.String("fqdn"), c.Duration("ttl"))
 	if err != nil {
 		cmd.printError(err)
 		return
 	}
-	fmt.Fprintf(cmd.out, token)
+	if c.String("output") == "" {
+		fmt.Fprintf(cmd.out, token)
+		return
+	}
+	err = ioutil.WriteFile(c.String("output"), []byte(token), 0644)
+	if err != nil {
+		cmd.printError(err)
+	}
 }

teleport/main.go

@@ -40,7 +40,7 @@ func main() {
 		utils.NewNetAddrVal(
 			utils.NetAddr{
 				Network: "tcp",
-				Addr:    "localhost:33000",
+				Addr:    "localhost:33001",
 			}, &cfg.SSH.Addr),
 		"sshAddr", "SSH endpoint listening address")
 
@@ -72,7 +72,7 @@ func main() {
 		utils.NewNetAddrVal(
 			utils.NetAddr{
 				Network: "tcp",
-				Addr:    "localhost:33001",
+				Addr:    "localhost:33000",
 			}, &cfg.Auth.SSHAddr),
 		"authSSHAddr", "Auth Server SSH tunnel API listening address")
 
@@ -92,7 +92,7 @@ func main() {
 		utils.NewNetAddrVal(
 			utils.NetAddr{
 				Network: "tcp",
-				Addr:    "localhost:33003",
+				Addr:    "localhost:33002",
 			}, &cfg.CP.Addr),
 		"cpAddr", "CP server web listening address")