* Avoid test flake by ensuring the gRPC server is shutdown gracefully before closing the audit log
* Fix lint warnings. Nove tunnel server's Close to earlier to close the proxy watcher and release grpc traffic
* Use graceful shutdown selectively until all tests have improved support for it
* Move session recorder clean up to session.Close
* Always use graceful shutdown for TLS.
Addresses issue #4924
If a default Web Proxy port is not specified by the user, either via
config or on the command line, `tsh` defaults to `3080`. Unfortunately
`3080` is often blocked by firewalls, leading to an unacceptably long
timeout for the user.
This change adds an RFC8305-like default-port selection algorithm,
that will try multiple ports on the supplied host concurrently and
select the most reponsive address to use for Web Proxy traffic. I
have included the standard HTTPS port (443) in the defaulut set,
and this can be easily expanded if other good candidates come along.
If the port selection fails for any reason, `tsh` reverts to the
legacy behaviour of picking `3080` automatically.
Forbids the use of the `--insecure` mode when FIPS mode is enabled in teleport
Disables the `--insecure` tsh command line option when built with FIPS support
See-Also: #5073
* client: set TLS certificate usage for k8s/app/db certs
--- TLS usage field
The certificate usage field prevents a certificate from being used for
other purposes. For example, a k8s-specific certificate will not be
accepted by a database service endpoint.
Server-side enforcement logic was already in place for a long time, but
we stopped setting the correct Usage in UserCertRequest during keystore
refactoring in 5.0 (with introduction of k8s certs).
--- TLS certificate overwrite
As part of this, client.ReissueUserCerts will no longer write
usage-restricted certificates into the top-level TLS certificate used
for Teleport API authentication.
For example, when generating a k8s-specific certificate, we used to
overwrite both:
- `~/.tsh/keys/$proxy/$user-x509.pem`
- `~/.tsh/keys/$proxy/$user-kube/$cluster/$kubeCluster-x509.pem`
This PR stops overwriting `~/.tsh/keys/$proxy/$user-x509.pem`.
This is not a breaking change.
--- Selected k8s cluster
Prior to this PR, `tsh status` printed the selected k8s cluster based on
the top-level TLS certificate. Since we no longer overwrite that
certificate, it will not contain a k8s cluster name.
Instead, we extract it from the kubeconfig, which is actually more
accurate since a user could switch to a different context out-of-band.
* Document UserCertRequest CertUsage enum values
The user loading code is kind of convoluted: it loads all the separate
backend items from the `/web/users/` prefix into a struct. That struct
is then converted to a full `types.User` object.
For each user there are 3 kinds of backend items:
- `/params` which is the main one, containing a marshalled `types.User`
object
- `/pwd` which contains the hashed password for local users
- `/mfa/...` which contain registered MFA devices
When an SSO user expires, we delete the first two items but not
`/mfa/...`. This is intentional, to persist MFA devices across logins.
The user loading code would fail because the user was "found" (thanks to
MFA items), but didn't have the mandatory `/params` item.
This PR ignores any users that don't have `/params` instead of
hard-failing all `GetUsers` calls.
The reference used a branch commit originally to pass docs CI tests (link reachability).
The file now exists on the `master` branch, so it can be linked.
With this change `tsh login` will still always add teleport contexts and credentials to the kubeconfig, but will only update the current context if:
- `tsh login` is called with `--kube-cluster` set, or
- `tsh kube login <kube cluster>` is called.
Prior to this change, `tsh` will only ever forward the internal key
agent managed by `tsh` to a remote machine.
This change allows a user to specify that `tsh` should forward either
the `tsh`-internal keystore, or the system key agent at `$SSH_AUTH_SOCK`.
This change also brings the `-A` command-line option into line with
OpenSSH.
For more info refer to RFD-0022.
See-Also: #1571