I know comments are very lacking right now. Once things are stable I will add
proper comments. Minimal manual testing of the U2F registration API was done
with a hardware U2F key. Some of the code may need to be cleaned up later to
remove excessively long variable names...
Currently we return an error rightaway if the username/password combo is wrong.
It's difficult to do U2F without revealing either whether a user exists or
whether the password is correct. Returning error immediately reveals whether
the user/password combo is valid, while waiting until we get a signed response
from the U2F device to announce whether the user/pass combo is valid can reveal
which users exist since we need to return a keyHandle in the U2F SignRequest
and generating fake keyHandles for nonexistent users can be difficult to get
right since there is no rigid format for keyHandle.
- User tokens (signup tokens) and node nodes (provisioning tokens) are
managed via the same API calls.
- User tokens are converted to machine tokens (with Signup role)
- Static node tokens have "Expiry" date of Unix(0) i.e. Jan 1, 1970
Teleport CA-signed host certificates used to support only one
server role per cert.
This commit adds the ability to store multiple roles in a
certificate, paving the road for multi-role node support in
a near future.
This commit:
- Makes all Teleport tokens multi-role (a token is associated with a
list of roles its owner can assume)
- Removes some unused/obsolete features
a) "AllowedTokens" config setting which we don't use
b) "authorities" TCTL command
It does not affect how Teleport works, just preparing the plumbing for
--roles flag for `tctl nodes add`
This commit introduces heartbeats of AuthServers and Proxies and fixes several issues:
1. Server init problem
There was an issue in server init, when certificates of multiple roles were overwriting each otther.
Now Teleport stores each keypair and certificate in a separate file <hostid>.role.key and <hostid>.role.cert
This also means that it's backwards incompatible with previous on disk format.
2. Proxy and Auth heartbeats
Auth servers and proxies now heartbeat into cluster as well
3. Bugfixes:
* Proxy role was missing, it is now treated as a separate role with permissions
* AdvertiseIP is now a global setting that can be used by all roles
* --advertise-ip flag was ignored and was never applied
* teleport service initialization has been simplified, now each role get it's own client
* minor cleanups
1. `--name` setting is passed through into AuthServer as "AuthServiceName".
This will be used in UIs when there are multiple clusters, and also
in places like Google Authenticator
2. `tctl nodes ls` now lists both host name and host UUID
3. Changed `--name` setting to `--nodename` to be consistent with the
config file.
Closes#194
`web.SSHAgentLogin(proxyAddr string)` expects proxyAddr string to be a
URL, while everywhere else we address servers by host:port pair.
Because of that, `--proxy=host` sytax was broken.