This commit:
* Improves on the previous commit on better name resolution by the proxy
(and fixes a bug introduced by the previous commit)
* Removes 'host_login' from tsh client profile. Closes#729
This commit adds several improvements to how CLI SSH login works
- Validated keys are added to the SSH agent [1]
- tsh will does not verify host keys twice anymore
- error messages for "access denied" look clean now
[1] This is huge. This means that tsh login can "feed" the keys to the
built-in SSH agents of the OS and OpenSSH can fetch them from there.
QUESTION: why do we even need `tsh agent` option then? ssh-agent is
installed on every Linux/OSX machine.
This is to support Teleconsole/Telecast features, namely:
- When a user is added programmatically, it's actually returned.
- When a server is being created, it will not create users if
they exist already, instead it will just sign their public keys
Teleport configuration now has a new field: NoAudit (false by default,
which means audit is always on).
When this option is set, Teleport will not record events and will not
record sessions.
It's implemented by adding "DiscardLogger" which implements the same
interface as teh real logger, and it's plugged into the system instead.
NOTE: this option is not exposed in teleport in any way: no config file,
no switch, etc. I quickly needed it for Telecast.
Teleport YAML config now has a new configuration variable for internal
use by Gravitational:
```yaml
teleport:
seed_config: true
```
If set to 'true', Teleport treats YAML configuration simply as a seed
configuration on first start.
If set to 'false' (default for OSS version), Teleport will throw away
its back-end config, treating YAML config as the only source of truth.
Specifically, for now, the following settings are thrown away if not
found in YAML:
- trusted authorities
- reverse tunnels
1. data_dir is now a global setting in teleport.yaml (instead of being
inside of "storage" sub-section)
2. changing data_dir in one place causes all of teleport to use it,
not just bolt backends.
3. moving auth server to listen on non-default ports properly adjusts
the global auth_servers setting
4. `tctl` now accepts -c flag just like Teleport, so you can pass
`teleprot.yaml` to it.
Fixes#432Fixes#431Fixes#430
TunClient always tries to dial the statically configured auth server
first, before trying "discovered" ones.
The rationale is that --auth flag must override whatever dynamic auth
servers have been discovered (because sometimes their IPs are wrong, if
advertise-ip was misconfigured)
Closes#416Fixes#416
Teleport CA-signed host certificates used to support only one
server role per cert.
This commit adds the ability to store multiple roles in a
certificate, paving the road for multi-role node support in
a near future.
1. Server now always uses UTC timestamps for certificates it ussues
2. Client doesn't store cert validBefore time in separate files, it
parses the cert itself.
Fixes#370
- reduced number of goroutines
- reduced number of 'sleep constants', settling on just one:
`defaults.HeartbeatPeriod`
- increased the interval
Fixes#358
...by teleport clients + servers, meaning:
1. Servers do not default to stdout when printing startup messages
2. Clients can use arbitrary input/output instead of stdin/stdout when
doing SSH/join. This helps with integration testing.
- Fixed all tests
- Removed "magic constants" in random places
- Improved 'retry connecting to auth server' logic (it used to always
fail on 1st attempt)