Proposes changing the default behaviour of tsh ssh -A to forward the System Key Agent to the remote machine, rather than the ephemeral Key Agent that runs inside the tsh process. This change would bring the behaviour of tsh ssh into line with the OpenSSH ssh client.
This builds on a proposed solution to #1517 in order to provide an escape hatch that allows legacy behaviour if necessary.
- Preserve login time with WebSession when user first creates a web session to derive
"default" expiry when user wants to switch back
- Change the signature of ExtendWebSession to accept a
NewWebSessionRequest struct that contains session information
- Create renewSessionRequest object to read from web request for endpoint renewSession
- Endpoint now also returns SessionExpires time that is used as countdown in UI
You can follow
https://developers.google.com/identity/protocols/oauth2/openid-connect
to set up an OIDC provider in GCP, which is distinct from GSuite.
This provider uses the same issuer URL ("https://accounts.google.com")
as GSuite. Our code assumes that if that issuer URL is set, then it must
be GSuite, which is not correct. Only attempt to pull more data from
GSuite API if `google_service_account_uri` is set.
Support for HSMs for CA key storage.
I mentioned a few design options in the RFD, but wrote the rest of it
based on my preferred option. It's not set in stone, so speak up if you
think the high-level approach is wrong.
Most of the complexity lies in backend storage and CA rotation. Actually
talking to HSMs over PKCS#11 is relatively simple.
* Updated several strings to increase clarity.
* Modified markdown formatting in a couple of places to make code examples easier to parse.
* Updated strings to active voice, if it didn't interfere with clarity or content.
* Update go-client to user new API client with tsh profile loader.
* Apply suggestions from code review
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
* Evaluate watcher events to decide whether keep-alives are effective
instead of relying on arbitrary TTLs (implemented as absolute time which
adds to trouble).
Fixes https://github.com/gravitational/teleport/issues/5346.
* Replace the approximate expire timestamps comparisons with the ordering tests
* Address review comments. Move ordered keep-alive tests back to backend/test/suite
* Use an alternative implementation of FakeClock.Advance for etcd to use real time.Sleep as etcd server cannot use fakeclock
* Address review comments
* Use fake clock in firestore tests
* Add missing import
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
