This makes it so that tsh will watch for access request resolution on the
correct (root) cluster, and it will not create access requests before the event
watcher is ready.
Fixes#9003 and #9244.
* add diag to teleport db/app start
* db --cluster flag supports
* add some ut and fix issue ~/.tsh get removed during test
* working mongodb
* fix logout
* fix ut
* code review comment
* fix mysql
This new feature in Go 1.17 automatically restores the environment
variable to its previous value when a test ends, making it simpler
to set up the environment for tests and less likely that we accidentally
leave behind global state.
Also convert some of the remaining uses of check to standard Go tests.
* Add RBAC for Windows desktop access
This commit adds RBAC checks for Windows Desktops as described in
RFD 33 and RFD 34:
- add Windows desktop logins & labels to role definition
- introduce new file config for host labels based on a regexp match
- auth server API performs access checking for Windows desktop resources
- add RDP client callback to authorize the user
- support user/role locks
- respect the client idle timeout setting
Note: in cases where an connection is terminated to to RBAC, the web UI
currently displays "websocket connection failed" because the connection
is closed from the server. We'll need to follow up with a nice error
message for the client side to improve the UX here.
Other changes:
* Remove OSS RBAC migration marked for deletion
* Stop creating a default admin role
* add wildcard desktop access to the preset access role
Updates #7761
This is a collection of a few small changes related to user presentation of
WebAuthn/MFA in tsh. The intent is to make tsh language match ongoing Web UI
changes.
* Make use of preferred MFA in `tsh mfa add`
* Tweak prompt error message
Old:
ERROR: "U2F\n" is not a valid option, please specify one of [TOTP, WEBAUTHN]
New:
ERROR: "U2F" is not a valid option, please specify one of [TOTP, WEBAUTHN]
* Directly mention WebAuthn when prompting for challenges
* Fix typo on godoc
* Print devices sorted by name on `tsh mfa ls`
* Address origin validation TODOs
For registration and a few other use cases the original error is relayed
back to the client, so there is already a good indicator that it failed
due to origin woes.
For login we purposefully obsfucate errors. To address that I've added a
few debug-level server-side log statements; it seems best to not make
further changes in this case.
* Amend preferred device type logic
* Adjust PromptMFAChallenge message
Replaces the local device type in AddMFADeviceRequestInit for a global enum.
Useful for future RPCs.
* Add the DeviceType proto to Auth Service
* Generate protos
* Use new DeviceType in implementations
* Add support for `tsh ssh` on Windows
This adds Windows session support to tsh, taking advantage of ANSI
terminal support and VT emulation added in recent versions Windows
10. On supported Windows versions (Windows 10 1607+), `tsh ssh`
should work as expected in `cmd.exe`, PowerShell, and the new
Windows Terminal app.
* Address a few review comments
* Remove significant chunks of unnecessary tncon code.
Removes the global buffer, `GetVTSeqFromKeyStroke`, and several
ancillary headers and functions that aren't needed for our (current)
use-case. Also removes mouse and focus events.
* Refactor OS-specific terminal handling
This significantly simplifies OS-specific terminal behavior:
* Move OS specific terminal code into a new `terminal` package
* Remove `session_windows.go` in favor of an OS-independent
`session.go`, defer to terminal package for OS specific
functionality.
* Remove ConPTY since it's not needed.
* Always wait for the terminal and ssh session to fully close before
quitting.
* Refactor tncon; ensure the raw reader can be closed and reopened,
remove lots of unnecessary C code.
* Revert dependency changes
* Use WindowsOS constant.
* Fix `tsh play` on Windows
This fixes `tsh play` on Windows by using the new `terminal` module to
initialize the terminal for raw input in a cross-platform way.
Additionally, this simplifies `terminal.New()` since in practice we never
want interactive mode at init time, and fixes a broken unit test.
* Use correct log library
* Fix `tsh play` player controls on Windows
This fixes the console player controls on Windows as well as the timestamp
writer.
* Clean up lints
* Add missing license header
* Fix broken unit test
* Fix cross-compile builds on Linux/Docker
We need windows.h, which is not capitalized in the mingw packages
(and is case insensitive on Windows).
* Address code review feedback
- Rename `Terminal.InitInteractive` to `Terminal.InitRaw`
- Ensure goroutines terminate on close
- Fix outdated godoc comments
- Ensure Terminal event subscribers are cleared (and their channels
are closed)
- Ensure terminal output mode is reset on error in initTerminal
- Bubble up errors in Terminal.Close()
- Add author notice to tncon.c re: our changes
- Add go-ansiterm as a direct dependency
- Run `make update-vendor`
* Add constants and a small player.go TODO.
* Clear linter warning
* Require that public TLS and SSH keys are provided to register via token
The original behavior attempted to make providing public keys optional,
and would generate keys if they were not provided. This had several
problems:
- The auth server is generating private keys for nodes and is
potentially able to share them over the network.
- The return value for keys.Key would sometimes be set and sometimes
be empty (the key is only set if the auth server generated it and
knows what the key is)
- We only ever relied on this behavior as a shortcut in test code.
In the production code this behavior was never used (and actually
never worked due to a bug that would overwrite and discard the
generated private key)
This commit requires that public keys are always provided, ensuring
that the private key is generated locally and never known by the
auth server.
It also results in a cleaner error message when either or both of the
public keys are missing from the request.
* Address review comments
* Fix tests that relied on certs being generated
* Generate Windows-compatible OpenSSH config in `tsh config`
This tweaks `tsh config` to generate OpenSSH config blocks compatible
with Windows. It works around several issues:
* Hosts must be translated from a full hostname (e.g.
`node.foo.example.com`) to a Teleport node name (`node`). On Unix
clients we can use a bash subshell snippet to extract the cluster
domain but this isn't possible on Windows. Instead, this adds a
hidden tsh subcommand (`tsh config-proxy`) to act as a
`ProxyCommand` that manipulates the strings as necessary.
* Windows does not have an ssh-agent enabled by default. This
configures `IdentityFile` and `CertificateFile` so no ssh-agent
is needed. This should also improve the experience for users
without a compatible ssh-agent (e.g. GNOME).
* Windows requires a full executable path in `ProxyCommand`
directives.
* Remove unnecessary conversion
* Use /usr/bin/ssh explicitly in `tsh config` template for Unix
* Remove special case for leaf clusters; always require a SiteName
* Apply suggestions from code review
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
* Pass through remote login name
This should improve compatibility with OIDC and other users with
federated Teleport usernames. The teleport proxy should always accept
a remote username for which the user's certificate is valid.
* Use `exec.LookPath` to resolve the ssh path
This prefers whichever `ssh` exists on the PATH for all OSes. After some
testing, Git for Windows SSH works just as well as Microsoft's, so we don't
need to overspecify things.
Also, quotes the tsh.exe path in generated config. Git for Windows' ssh
didn't autoescape the Windows paths.
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
* Add `tsh config ssh` helper to generate OpenSSH client configuration
This adds a new subcommand, `tsh config ssh`, to generate OpenSSH
client configuration snippets that allow users to connect directly to
nodes using the standard `ssh` client.
To support this change, tsh's `known_hosts` file has been modified to
match the format required by OpenSSH when verifying hosts against
certificates. Old-style `known_hosts` entries will be automatically
replaced and pruned when the end user first logs in with an updated
`tsh`. Small changes were additionally made to the keystore and key
agent to pass the proxy host into `AddKnownHostKeys` and to support
wildcard hostnames in `known_hosts` entries.
* Fix broken link to Trusted Clusters documentation
* Use text/template for SSH config generation; wrap all errors.
* Rename config helper from `config ssh` to just `config`
This changes the config helper to use just `tsh config` per
suggestion from @r0mant.
* Fix known_hosts_migrate_test after rebase
* First pass at review feedback
* Update docs/pages/server-access/guides/openssh.mdx
Co-authored-by: Roman Tkachenko <roman@gravitational.com>
* Ensure top-level hostnames never match wildcard patterns
* Add additional host count check to `canPruneOldHostsEntry`.
* Replace excess call to `isOldStyleHostsEntry` with documented invariant
* Trim trailing dots on absolute hostnames in `matchesWildcard`
Co-authored-by: Roman Tkachenko <roman@gravitational.com>
Multiple routines were fighting over the global logrus `Logger`
instance, causing the race detector to trip roughly once in every 10
test runs.
This patch addresses this race condition by supplying each of the
competing processes an entirely separate logger, and ensuring that
these log instances are plumbed through to the code that would otherwise
trip the race detector.
* hsm: migrate CA storage schema
Migrate types.CertAuthorityV2 schema according to
https://github.com/gravitational/teleport/blob/master/rfd/0025-hsm.md#backend-storage
Includes proto changes, types.CertAuthority wrapper changes and data
migration.
Note that we keep and update the old fields for backwards-compatibility.
If a cluster is upgraded to v7 and then downgraded back to v6,
everything should keep working.
* Address review feedback