* ssh: fix relogin with jumphosts
Several fixes to make `tsh ssh -J leaf.proxy.com` work if the root cert
is missing/expired.
* Address review feedback
Correctly parse trusted CAs on GetKey.
Move retry without jumphosts from relogin to UpdateClusterCAs.
* Remove TelpoertClient.AuthMethods override on relogin
It doesn't seem to break anything.
* Open Sources Access Controls Docs (#6188)
Moves RBAC to a separate access controls section,
adds a couple of guides and prepares
the structure for more content.
* Fix href links
```diff
~/.tsh/
└── keys
├── one.example.com --> Proxy hostname
│ ├── certs.pem --> TLS CA certs for the Teleport CA
│ ├── foo --> RSA Private Key for user "foo"
│ ├── foo.pub --> Public Key
- │ ├── foo-cert.pub --> SSH certificate for proxies and nodes
│ ├── foo-x509.pem --> TLS client certificate for Auth Server
+ │ ├── foo-ssh --> SSH certs for user "foo"
+ │ │ ├── root-cert.pub --> SSH cert for Teleport cluster "root"
+ │ │ └── leaf-cert.pub --> SSH cert for Teleport cluster "leaf"
```
When `-J` is provided, this also loads/reissues the SSH cert for the cluster associated with the jumphost's certificate. Fixes#5637.
* Switch to go1.16. Use embed package to embed webassets instead of ad-hoc attaching to binary
* Fix pipeline duplicate step error
* Resolve duplicate pipeline step name error. Explicitly define platform for 'exec' pipelines. Remove the uid/gid environment from 'exec' pipelines as redundant.
* Set proper dependencies when building darwin package fips pipelines. Use enterprise build directory for tsh
* Address review comments
Username is the teleport username (either from SSO or for local user).
SSH login name is one of the OS logins allowed for the user.
In a user cert request, Username means the former, not the latter.
* Update Go runtime to 1.16.2 and bump the boringcrypto version correspondingly for linux FIPS builds
* Address review comments
* Don't fail if buildbox image is not present
* Update other go1.15.5 references not yet handled by dronegen
* Build from source on CentOS 6
Co-authored-by: Gus Luxton <gus@goteleport.com>
* fix race in filelog
* Fixed data race in Audit Log.
Fixed data race in Audit Log where Close and EmitAuditEvent race during
tests. Use a RWMutex to protect the local log to prevent race.
Co-authored-by: Forrest Marshall <forrest@gravitational.com>
Purpose is to allow users with admin privilege that are able to view audit logs,
to be able to debug SSO login failures from the UI as much as possible
* Return generic error message for sso console login failures to hide
sensitive data from reaching client. Previously errors were returning as
empty messages b/c of a trace bug.
* Remove emit event for createOIDCClient to allow outer caller to
emit event and prevent double emits on error.
* Temporarily direct users to check teleports log on errors that come back
empty to tsh client.
Check whether MFA is required for the current session and send a
challenge over the websocket.
client.IssueUserCertsWithMFA had to be modified to inject proxy's
cached user certs and websocket-based U2F prompt.
Addresses Issue #5774
Prior to this change key enumeration could fail with an error if the cluster value in the `tsh` config was missing, which is possible when a post-v6.0 `tsh` reads a ~/.tsh directory created by a pre-v6.0 `tsh`. This would ultimately cause the key enumeration code to search the wrong directory for keys, resulting in an attempt to read a directory as a key file, and failing.
This patch adds detection for an empty cluster name, and gracefully aborts the key enumeration without error if found.
By specifying `device_attestation_cas` in `teleport.yaml`, admins can
restrict U2F device manufacturers. For example, specifying the yubico
attestation CA
(https://developers.yubico.com/U2F/yubico-u2f-ca-certs.txt), you can
restrict users to only yubikeys.
Example error when using the yubico CA and trying to register a Google
Titan key:
```
$ tsh mfa add --type u2f --name test && tsh mfa rm test
Tap any *registered* security key
Tap your *new* security key
ERROR: rpc error: code = InvalidArgument desc = U2F device attestation certificate is signed by "CN=Security Key,O=Google", but this cluster only accepts certificates from ["CN=Yubico U2F Root CA Serial 457200631"]; make sure you're using a U2F device from a trusted manufacturer
```
* Added support for connecting API client through tunnel proxy and web proxy addresses (with identity file).
* Added concurrent dialing logic to dial several possible dialing combinations and seamlessly return the first client to connect.