This commit introduced mutual TLS authentication
for auth server API server.
Auth server multiplexes HTTP over SSH - existing
protocol and HTTP over TLS - new protocol
on the same listening socket.
Nodes and users authenticate with 2.5.0 Teleport
using TLS mutual TLS except backwards-compatibility
cases.
Instead of quietly changing behavior because `DEBUG` envar was set to
true, Teleport now explicitly requires scary --insecure flag to enable
this behavior.
I know comments are very lacking right now. Once things are stable I will add
proper comments. Minimal manual testing of the U2F registration API was done
with a hardware U2F key. Some of the code may need to be cleaned up later to
remove excessively long variable names...
Currently we return an error rightaway if the username/password combo is wrong.
It's difficult to do U2F without revealing either whether a user exists or
whether the password is correct. Returning error immediately reveals whether
the user/password combo is valid, while waiting until we get a signed response
from the U2F device to announce whether the user/pass combo is valid can reveal
which users exist since we need to return a keyHandle in the U2F SignRequest
and generating fake keyHandles for nonexistent users can be difficult to get
right since there is no rigid format for keyHandle.
Teleport CA-signed host certificates used to support only one
server role per cert.
This commit adds the ability to store multiple roles in a
certificate, paving the road for multi-role node support in
a near future.
This commit:
- Makes all Teleport tokens multi-role (a token is associated with a
list of roles its owner can assume)
- Removes some unused/obsolete features
a) "AllowedTokens" config setting which we don't use
b) "authorities" TCTL command
It does not affect how Teleport works, just preparing the plumbing for
--roles flag for `tctl nodes add`
auth server. This is needed when you configure cluster from scratch and
all nodes including auth server spin up simultaneously.
* Add tctl tools to generate keys and certificates
+ Command "tctl authorities gen" generates public and private keypair.
+ Command "tctl authorities gencert" generates public and private keypair signed
by existng private key
+ Command "tctl authorities export" was modified to be able to export exisitng private
CA keys to local storage
All of these commands are hidden by default.
section "static configuration"
* Add ability to configure teleport from environment variable
Environment variable TELEPORT_CONFIG can contain base64 encoded
YAML file config file of the standard file format, so teleport will use it on start
* Add special secrets section to the config file
Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys
* Add special rts hidden section to add support for provisioning
This commit introduces heartbeats of AuthServers and Proxies and fixes several issues:
1. Server init problem
There was an issue in server init, when certificates of multiple roles were overwriting each otther.
Now Teleport stores each keypair and certificate in a separate file <hostid>.role.key and <hostid>.role.cert
This also means that it's backwards incompatible with previous on disk format.
2. Proxy and Auth heartbeats
Auth servers and proxies now heartbeat into cluster as well
3. Bugfixes:
* Proxy role was missing, it is now treated as a separate role with permissions
* AdvertiseIP is now a global setting that can be used by all roles
* --advertise-ip flag was ignored and was never applied
* teleport service initialization has been simplified, now each role get it's own client
* minor cleanups