The purpose of this commit was to remove the lib/client dependency of
lib/web.
lib/client must be dependency-free in order to be reusable.
Next step: make the web UI use the same client code as the CLI. This
will remove a ton of duplicate code making Teleport audit surface area
much smaller.
Web UI backend used very generic and hard to follow naming conventions,
like "connect" or "connectHandler" or "newHandlerRequest".
Renaming everything to something easier to follow, like "makeTerminal"
or "newTerminalRequest"
Even the source file is renamed from "connect.go" to "terminal.go"
I know comments are very lacking right now. Once things are stable I will add
proper comments. Minimal manual testing of the U2F registration API was done
with a hardware U2F key. Some of the code may need to be cleaned up later to
remove excessively long variable names...
Currently we return an error rightaway if the username/password combo is wrong.
It's difficult to do U2F without revealing either whether a user exists or
whether the password is correct. Returning error immediately reveals whether
the user/password combo is valid, while waiting until we get a signed response
from the U2F device to announce whether the user/pass combo is valid can reveal
which users exist since we need to return a keyHandle in the U2F SignRequest
and generating fake keyHandles for nonexistent users can be difficult to get
right since there is no rigid format for keyHandle.
- replay now works in both web and CLI
- fixed two nasty connection bugs in web sessions
- removed verbose logging/diagnostics
- refactoring of web code by Alexey
auth server. This is needed when you configure cluster from scratch and
all nodes including auth server spin up simultaneously.
* Add tctl tools to generate keys and certificates
+ Command "tctl authorities gen" generates public and private keypair.
+ Command "tctl authorities gencert" generates public and private keypair signed
by existng private key
+ Command "tctl authorities export" was modified to be able to export exisitng private
CA keys to local storage
All of these commands are hidden by default.
section "static configuration"
* Add ability to configure teleport from environment variable
Environment variable TELEPORT_CONFIG can contain base64 encoded
YAML file config file of the standard file format, so teleport will use it on start
* Add special secrets section to the config file
Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys
* Add special rts hidden section to add support for provisioning
* clients to tun servers are now supporting failover on the client
* clients periodically pull and sync auth servers that are available in the cluster
* teleport stores the information about cluster state locally and reuses it on restart