* Fix bug with OIDC powered sessions logged out after 10 minutes
* Adjust web sessions durations by taking roles into account
* Provide explicit TTL enforced on the server side for bearer tokens
Before this PR the web session TTL was measured using defaults,
10 minutes for local sessions and 1 hour for OIDC sessions and
the system relied on client to renew the bearer token.
With this change bearer token TTL is set to 10 minutes
and the entire web session will expire if not renewed before
The maximum session duration is set to 12 hours, if not
limited to a smaller value by roles in RBAC modules.
Before this commit, tsh HAD to know which SSH port the server is
listening on. Meanwhile the proxy _already knows_ which port every
server is listening on! This made it inconvenient to use tsh when
non-default port was used.
This commit makes proxy smarter:
- If `-p` flag is explicitly set, proxy looks for this port and gives an
intelligent error if the port doesn't match what's actually used.
- If `-p` is skipped, the proxy automatically uses the correct port,
and what's cooler it uses port `22` if connecting to OpenSSH servers.
This commit fixes the second issue of #729
Fix one:
Fixed typo in defining `teleport.HOTP` constant.
This fixes bug #721
Fix two:
Removes 'drop tunnel connection' logic on any tunnel-related error. This
fixes 2nd problem "Handling Unreachable nodes" for issue #717 (see
klizhentas comment there)
* GenerateUserCert should check permissions of a user that
is about to get certificate, not the currently authenticated
user, because these users do not always match
Trusted clusters and cert authorities static configuration
sections were not properly processed and we've been creating
incomplete V2 objects in the database. This commit fixes the problem