`tc.SiteName` does not necessarily point to the cluster we're connecting
to (or that we have certs for). For example `tsh login leaf` will set
`tc.SiteName` as `"leaf"` even though we're connecting to root proxy to
fetch leaf certs.
Load access requests from SSH cert instead of the profile. The profile
only exists on CLI clients, but not in the proxy.
Note: theoretically, SSH cert may be missing in some cases for CLI
clients. We should eventually encode access requests in TLS certs too,
which are always present.
Cluster name can be missing in profiles created by older tsh versions.
Trying to load the client.Key without a cluster name now causes a
failure when using WithAllCerts (because ssh/db/kube certs are
per-cluster).
Also added some output to `tsh status` when no profiles can be loaded.
* ssh: fix relogin with jumphosts
Several fixes to make `tsh ssh -J leaf.proxy.com` work if the root cert
is missing/expired.
* Address review feedback
Correctly parse trusted CAs on GetKey.
Move retry without jumphosts from relogin to UpdateClusterCAs.
* Remove TelpoertClient.AuthMethods override on relogin
It doesn't seem to break anything.
```diff
~/.tsh/
└── keys
├── one.example.com --> Proxy hostname
│ ├── certs.pem --> TLS CA certs for the Teleport CA
│ ├── foo --> RSA Private Key for user "foo"
│ ├── foo.pub --> Public Key
- │ ├── foo-cert.pub --> SSH certificate for proxies and nodes
│ ├── foo-x509.pem --> TLS client certificate for Auth Server
+ │ ├── foo-ssh --> SSH certs for user "foo"
+ │ │ ├── root-cert.pub --> SSH cert for Teleport cluster "root"
+ │ │ └── leaf-cert.pub --> SSH cert for Teleport cluster "leaf"
```
When `-J` is provided, this also loads/reissues the SSH cert for the cluster associated with the jumphost's certificate. Fixes#5637.
Username is the teleport username (either from SSO or for local user).
SSH login name is one of the OS logins allowed for the user.
In a user cert request, Username means the former, not the latter.
* fix race in filelog
* Fixed data race in Audit Log.
Fixed data race in Audit Log where Close and EmitAuditEvent race during
tests. Use a RWMutex to protect the local log to prevent race.
Co-authored-by: Forrest Marshall <forrest@gravitational.com>
Purpose is to allow users with admin privilege that are able to view audit logs,
to be able to debug SSO login failures from the UI as much as possible
* Return generic error message for sso console login failures to hide
sensitive data from reaching client. Previously errors were returning as
empty messages b/c of a trace bug.
* Remove emit event for createOIDCClient to allow outer caller to
emit event and prevent double emits on error.
* Temporarily direct users to check teleports log on errors that come back
empty to tsh client.
Check whether MFA is required for the current session and send a
challenge over the websocket.
client.IssueUserCertsWithMFA had to be modified to inject proxy's
cached user certs and websocket-based U2F prompt.
Addresses Issue #5774
Prior to this change key enumeration could fail with an error if the cluster value in the `tsh` config was missing, which is possible when a post-v6.0 `tsh` reads a ~/.tsh directory created by a pre-v6.0 `tsh`. This would ultimately cause the key enumeration code to search the wrong directory for keys, resulting in an attempt to read a directory as a key file, and failing.
This patch adds detection for an empty cluster name, and gracefully aborts the key enumeration without error if found.
By specifying `device_attestation_cas` in `teleport.yaml`, admins can
restrict U2F device manufacturers. For example, specifying the yubico
attestation CA
(https://developers.yubico.com/U2F/yubico-u2f-ca-certs.txt), you can
restrict users to only yubikeys.
Example error when using the yubico CA and trying to register a Google
Titan key:
```
$ tsh mfa add --type u2f --name test && tsh mfa rm test
Tap any *registered* security key
Tap your *new* security key
ERROR: rpc error: code = InvalidArgument desc = U2F device attestation certificate is signed by "CN=Security Key,O=Google", but this cluster only accepts certificates from ["CN=Yubico U2F Root CA Serial 457200631"]; make sure you're using a U2F device from a trusted manufacturer
```
* Added support for connecting API client through tunnel proxy and web proxy addresses (with identity file).
* Added concurrent dialing logic to dial several possible dialing combinations and seamlessly return the first client to connect.
