This commit adds several improvements to how CLI SSH login works
- Validated keys are added to the SSH agent [1]
- tsh will does not verify host keys twice anymore
- error messages for "access denied" look clean now
[1] This is huge. This means that tsh login can "feed" the keys to the
built-in SSH agents of the OS and OpenSSH can fetch them from there.
QUESTION: why do we even need `tsh agent` option then? ssh-agent is
installed on every Linux/OSX machine.
It does two things:
1. Forwards the original HTTP error to the user without replacing it
with generic "object not found". Related PR for trace package:
https://github.com/gravitational/trace/pull/27
2. Adds proper handling for `-d` (debug) CLI flag. When passed, `tsh`
will print the call stack along with the error message.
Prior to this fix Teleport would not relay proxy errors from remote
clusters.
In other words, the following command:
```
$ tsh --cluster=remote ssh non-existing-host
```
Would print an error like:
"Cannot find a remote tunnel connection. ssh subsystem request failed"
Insead, it should say something like:
"dial non-existing-host error: no such host"
This commit fixes it. It works by:
- Sending net.Dial() error from the remote proxy back via stderr over
reverse tunnel.
- Carefully handling this error to distinguish it from tunnel-related
network errors.
Fixes#392Fixes#396
Teleport now respects `--user` flag and, if --user is specified,
forces the certificate to belong to the given user.
This changes the file structure in `~/.tsh` directory. If a user logs in
under two different accounts, say "ekontsevoy" and "vince", it looks
like this:
```
~/.tsh/
├── keys
│ └── localhost
│ ├── ekontsevoy.cert
│ ├── ekontsevoy.key
│ ├── ekontsevoy.pub
│ ├── vince.cert
│ ├── vince.key
│ └── vince.pub
└── known_hosts
```
Also, to make tests more believable, I have added 3 more pre-generated
keys to 'testauthority' fixture, so instead of returning the same key
over and over, it now returns a random 1 of 4
- replay now works in both web and CLI
- fixed two nasty connection bugs in web sessions
- removed verbose logging/diagnostics
- refactoring of web code by Alexey
Here's how it works:
* It takes the closest tag that is present in the build
* Automatically applies this tag
* Adds git commit as well
* Is 100% go gettable
* No external deps, all vendored
This commit includes refactoring and cleanup of cert authority sybsystem:
* User keys methods are deleted
* Authorities CRUD is simplified
* Lots of code removed