* Do not log EOF errors, avoid polluting logs
* Trim space from tokens when reading from file
* Do not use dir based caching
The caching problem deserves a separate explanation.
Directory backend is not concurrent friendly - it has a
fundamental design flaw - multiple gorotuines writing to the
same file corrupt cache data.
This requires either redesign of the backend or switching
to boltdb backend for caching.
Boltdb backend uses transactions and is safe for concurrent
access. This PR changes local cache to use boltdb instead
of the dir backend that is now used only in tests.
Add support for extra principals for proxy.
Proxy section already supports public_addr
property that is used during tctl users add
output.
Use the value from this property to update
host SSH certificate for proxy service.
proxy_service:
public_addr: example.com:3024
With the configuration above, proxy host
certificate will contain example.com principal
in the SSH principals list.
Support configuration for web and reverse tunnel
proxies to listen on the same port.
* Default config are not changed for backwards compatibility.
* If administrator configures web and reverse tunnel
addresses to be on the same port, multiplexing is turned on
* In trusted clusters configuration reverse_tunnel_addr
defaults to web_addr.
* Session events are delivered in continuous
batches in a guaranteed order with every event
and print event ordered from session start.
* Each auth server writes to a separate folder
on disk to make sure that no two processes write
to the same file at a time.
* When retrieving sessions, auth servers fetch
and merge results recorded by each auth server.
* Migrations and compatibility modes are in place
for older clients not aware of the new format,
but compatibility mode is not NFS friendly.
* On disk migrations are launched automatically
during auth server upgrades.
This commit introduced mutual TLS authentication
for auth server API server.
Auth server multiplexes HTTP over SSH - existing
protocol and HTTP over TLS - new protocol
on the same listening socket.
Nodes and users authenticate with 2.5.0 Teleport
using TLS mutual TLS except backwards-compatibility
cases.
* Allow external audit log plugins
* Add support for auth API server plugins
* Add license file path configuration parameter (not used in open-source)
* Extend audit log with user login events
If user running teleport is a member of adm group
create the directory and all subdirectories
accessible to admins.
Remove obsolete migrations required for pre 2.3 releases.
This is a fix for file leak in audit log server caused
by design issue:
Session file descriptors in audit log were opened on demand
when the session event or byte stream chunk was reported.
AuditLog server relied on SessionEnd event to close the
file descriptors associated with the session.
However, when SessionEnd event does not arrive (e.g.
there is a timeout or disconnect), the file descriptors
were not closed. This commit adds periodic clean up
of inactive sessions.
SessionEnd is now used as an optimization measure
to close the files, but is not used as the only
trigger to close files.
Now, inactive idle sessions, will close file descriptors
after periods of inactivity and will reopen the file
descriptors when the session activity resumes.
SessionLogger was not designed to open/close files
multiple times as it was reseting offsets
every time the session files were opened. This
change fixes this condition as well.
This was fixed running the `misspell` linter in fix mode using
`gometalinter`. The exact command I ran was :
```
gometalinter --vendor --disable-all -E misspell --linter='misspell:misspell -w {path}:^(?P<path>.*?\.go):(?P<line>\d+):(?P<col>\d+):\s*(?P<message>.*)$' ./...
```
Some typo were fixed by hand on top of it.
Instead of quietly changing behavior because `DEBUG` envar was set to
true, Teleport now explicitly requires scary --insecure flag to enable
this behavior.
BoltDB backend is now compatible with how all backends should
initialize.
Also all BoltDB-specific code/constants have been consolidated inside of
`backend.boltbk` package.
Originally Teleport had facilities to configure events/recordings via two
separate backends.
In reality those two objects (session events and session recordings)
need each other and currently there is only one implementaiton of it.
The old structures were unused. This commit is 100% dead code removeal.
- Added ability to read AWS config from `~/.aws` directory for testing
- Fixed TTL bug in DynamoDB back-end
- Made FS back-end return similar error types as Boltdb does
- Cleaned up buggy tests for DynamoDB
- Removed unnecessary locks everywhere in code
Functionality:
`teleport` binary now serves web assets from its own binary file.
Unless `DEBUG` environment variable is set to "1" or "true", in
this case it will look for ../web/dist (as located in github repo)
which can be used for development.
Design:
To avoid accumulating 3rd party dependencies with a ton of extra
features and licenses, this implementation uses minimalistic
implementation of http.FileSystem interface on top of the embedded ZIP
archive.
1. The assets are zipped into assets.zip during build process
2. assets.zip gets appended to the end of `teleport` binary
3. The resulting file is converted into a self-extracting ZIP
4. Teleport opens itself using the built-in zip unarchiver, and loads
the assets on demand.
Notes:
1. LOC is tiny (dozens)
2. RAM consumption is CONSTANT regardless of the ZIP size, about 500Kb
increase vs load-from-file, and most of it is linking zip archive
code from the standard library. Tested with a 20MB ZIP archive.
This backend can be enabled by optionally adding a new build flag.
See lib/backend/dynamo/README.md for details.
It should not affect default Teleport builds.
Instead of trying to achieve a full "offline" operation, this commit
honestly converts previous attempts to a "caching access point client"
behavior.
Closes#554
I know comments are very lacking right now. Once things are stable I will add
proper comments. Minimal manual testing of the U2F registration API was done
with a hardware U2F key. Some of the code may need to be cleaned up later to
remove excessively long variable names...
Currently we return an error rightaway if the username/password combo is wrong.
It's difficult to do U2F without revealing either whether a user exists or
whether the password is correct. Returning error immediately reveals whether
the user/password combo is valid, while waiting until we get a signed response
from the U2F device to announce whether the user/pass combo is valid can reveal
which users exist since we need to return a keyHandle in the U2F SignRequest
and generating fake keyHandles for nonexistent users can be difficult to get
right since there is no rigid format for keyHandle.
What works:
1. You have to start all 3: node, proxy and auth.
2. Login using 'tsh' (so it will create a cert)
3. Then you can shut 'auth' down.
4. Proxy and node will stay up and tsh will be able to login.
What doesn't work:
1. Auth updates are not visible to proxy/node (like new servers)
2. Not sure if "trusted clusters" will work.
At this stage I have an in-memory snapshot of a "cluster state" which
can be kept by nodes in-memory not requiring the auth connection to be
up 100% of the time.
Node and proxy are now both using this snapshot instead of a live
connection to the auth server.
Next steps:
- Make node and proxy continue to work after the auth is killed.
- Make the snapshot persistent.
- Make node & proxy use persistence and be able to restart with the auth
server down.
IMPORTANT:
Also found an interesting case where process identity is generated (on
first start). Right now there wasn't any kind of locking, and concurrent
identity initialization was possible. While it's not clear if this can
cause any real world issue, I have refactored it into a separate
lock-protected function.
Teleport configuration now has a new field: NoAudit (false by default,
which means audit is always on).
When this option is set, Teleport will not record events and will not
record sessions.
It's implemented by adding "DiscardLogger" which implements the same
interface as teh real logger, and it's plugged into the system instead.
NOTE: this option is not exposed in teleport in any way: no config file,
no switch, etc. I quickly needed it for Telecast.
* Downgraded many messages from `Debug` to `Info`
* Edited messages so they're not verbose and not too short
* Added "context" to some
* Added logical teleport component as [COMPONENT] at the beginning of
many, making logs **vastly** easier to read.
* Added one more logging level option when creating Teleport (only
Teleconsole uses it for now)
The output with 'info' severity now look extremely clean.
This is startup, for example:
```
INFO[0000] [AUTH] Auth service is starting on turing:32829 file=utils/cli.go:107
INFO[0000] [SSH:auth] listening socket: 127.0.0.1:32829 file=sshutils/server.go:119
INFO[0000] [SSH:auth] is listening on 127.0.0.1:32829 file=sshutils/server.go:144
INFO[0000] [Proxy] Successfully registered with the cluster file=utils/cli.go:107
INFO[0000] [Node] Successfully registered with the cluster file=utils/cli.go:107
INFO[0000] [AUTH] keyAuth: 127.0.0.1:56886->127.0.0.1:32829, user=turing file=auth/tun.go:370
WARN[0000] unable to load the auth server cache: open /tmp/cluster-teleconsole-client781495771/authservers.json: no such file or directory file=auth/tun.go:594
INFO[0000] [SSH:auth] new connection 127.0.0.1:56886 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205
INFO[0000] [AUTH] keyAuth: 127.0.0.1:56888->127.0.0.1:32829, user=turing.teleconsole-client file=auth/tun.go:370
INFO[0000] [AUTH] keyAuth: 127.0.0.1:56890->127.0.0.1:32829, user=turing.teleconsole-client file=auth/tun.go:370
INFO[0000] [Node] turing connected to the cluster 'teleconsole-client' file=service/service.go:158
INFO[0000] [AUTH] keyAuth: 127.0.0.1:56892->127.0.0.1:32829, user=turing file=auth/tun.go:370
INFO[0000] [SSH:auth] new connection 127.0.0.1:56890 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205
INFO[0000] [SSH:auth] new connection 127.0.0.1:56888 -> 127.0.0.1:32829 vesion: SSH-2.0-Go file=sshutils/server.go:205
INFO[0000] [Node] turing.teleconsole-client connected to the cluster 'teleconsole-client' file=service/service.go:158
INFO[0000] [Node] turing.teleconsole-client connected to the cluster 'teleconsole-client' file=service/service.go:158
INFO[0000] [SSH] received event(SSHIdentity) file=service/service.go:436
INFO[0000] [SSH] received event(ProxyIdentity) file=service/service.go:563
```
You can easily tell that auth, ssh node and proxy have successfully started.
We had this flag in the configuration forever, but apparently it was
being ignored.
It allows teleport proxy to start without HTTP UI enabled. This is
useful for proxies that strictly proxy and do nothing else.
I ran into this bug when I first time used this flag for Telecast, it
did not work, so I fixed it.
Teleport YAML config now has a new configuration variable for internal
use by Gravitational:
```yaml
teleport:
seed_config: true
```
If set to 'true', Teleport treats YAML configuration simply as a seed
configuration on first start.
If set to 'false' (default for OSS version), Teleport will throw away
its back-end config, treating YAML config as the only source of truth.
Specifically, for now, the following settings are thrown away if not
found in YAML:
- trusted authorities
- reverse tunnels
- Friendly error messages when parsing configuration and establishing
connection
- Bugs related to "first start" vs subsequent starts (reverse tunnells
added to YAML file won't be seen upon restart)
- Nicer logging
1. tctl auth export now dumps both user&host keys if --type key is missing
2. created fixtures for testing key imports: they're in
fixtures/trusted_clusters
3. configuration parser reads "trusted_clusters" files expecting the
output of tctl auth export
1. data_dir is now a global setting in teleport.yaml (instead of being
inside of "storage" sub-section)
2. changing data_dir in one place causes all of teleport to use it,
not just bolt backends.
3. moving auth server to listen on non-default ports properly adjusts
the global auth_servers setting
4. `tctl` now accepts -c flag just like Teleport, so you can pass
`teleprot.yaml` to it.
Fixes#432Fixes#431Fixes#430
TunClient always tries to dial the statically configured auth server
first, before trying "discovered" ones.
The rationale is that --auth flag must override whatever dynamic auth
servers have been discovered (because sometimes their IPs are wrong, if
advertise-ip was misconfigured)
Closes#416Fixes#416
- User tokens (signup tokens) and node nodes (provisioning tokens) are
managed via the same API calls.
- User tokens are converted to machine tokens (with Signup role)
- Static node tokens have "Expiry" date of Unix(0) i.e. Jan 1, 1970
- replay now works in both web and CLI
- fixed two nasty connection bugs in web sessions
- removed verbose logging/diagnostics
- refactoring of web code by Alexey
- auth.Client : HTTP client
- APIServer : HTTP server for Auth API
- AuthWithRoles : HTTP server for Auth API (which calls HasPermission)
- AuditLog : actual server-side filesystem-based implementation
- ctx object is created earlier
- session connection is not passed around anymore (it's part of ctx
anyway)
- clearly identified places in code where audit events must be logged
- Fixed all tests
- Removed "magic constants" in random places
- Improved 'retry connecting to auth server' logic (it used to always
fail on 1st attempt)
Goal: Easier manipulation of client keys
- configurable key store
- easier public API to sign & save keys (prior to this only tc.Login()
could create a signed key) - this allows to implement custom Login
logic in other clients.
Before:
Without "--debug" flag teleport would not report some errors to stderr.
A user would get the impression it's working properly.
After:
Initialization errors are dumped into cfg.Console writer, just like we
do everywhere else, so errors are duplicted in the log and also in the
user-facing console.
auth server. This is needed when you configure cluster from scratch and
all nodes including auth server spin up simultaneously.
* Add tctl tools to generate keys and certificates
+ Command "tctl authorities gen" generates public and private keypair.
+ Command "tctl authorities gencert" generates public and private keypair signed
by existng private key
+ Command "tctl authorities export" was modified to be able to export exisitng private
CA keys to local storage
All of these commands are hidden by default.
section "static configuration"
* Add ability to configure teleport from environment variable
Environment variable TELEPORT_CONFIG can contain base64 encoded
YAML file config file of the standard file format, so teleport will use it on start
* Add special secrets section to the config file
Section "secrets" was updated to support pre-configured trusted CA keys and pre-generated keys
* Add special rts hidden section to add support for provisioning
Reverse tunnels are now first class citizens of teleport.
There's no longer static configuration for reverse tunnel agents
in the config. Instead, admins can add and remove reverse tunnels
using tctl reversetunnel (hidden) commands.
* tctl reversetunnel ls
lists reverse tunnels
* tctl reversetunnel upsert a.example.com 10.0.0.4:2023,10.0.0.5:2033 --ttl=10m
updates or inserts reverse tunnel for 10 minutes
* tctl reversetunnel del a.example.com
deletes a reverse tunnel
Teleport proxies watch changes in the reverse tunnels on the backend and
spin up / spin down reverse tunnels according to these changes.
* clients to tun servers are now supporting failover on the client
* clients periodically pull and sync auth servers that are available in the cluster
* teleport stores the information about cluster state locally and reuses it on restart
This commit introduces heartbeats of AuthServers and Proxies and fixes several issues:
1. Server init problem
There was an issue in server init, when certificates of multiple roles were overwriting each otther.
Now Teleport stores each keypair and certificate in a separate file <hostid>.role.key and <hostid>.role.cert
This also means that it's backwards incompatible with previous on disk format.
2. Proxy and Auth heartbeats
Auth servers and proxies now heartbeat into cluster as well
3. Bugfixes:
* Proxy role was missing, it is now treated as a separate role with permissions
* AdvertiseIP is now a global setting that can be used by all roles
* --advertise-ip flag was ignored and was never applied
* teleport service initialization has been simplified, now each role get it's own client
* minor cleanups
fixes#184 again
Purpose of the change:
`TeleportProcess.loginIntoAuthService()` did not _properly_ login into
the auth service before (it just validated an identity). Turns out, to
actually "log in" one has to call at least one Auth API method
successfully.
I've added a call to API.GetLocalDomain() and count a successful login
only if that function succeeds.
Ok this commit is rather large for a seemingly "simple" problem. In
reality, the problem isn't simple.
Changes:
1. I refactored lib/service/service.go : I created a new structure called
TeleportProcess. It wraps the configuration and various callbacks together.
It made the code in that file MUCH easier to follow because functions
do not require 5+ parameters anymore.
2. Created loginToAuthService() method which is now used in two places:
1. On start-up
2. Immediately after registration.
This way both actions can be combined in the same loop, so if
_either_ one succeeds, the daemon successfuly starts.
3. Added support for multiple auth servers. Everywhere in our code we
always go for conf.AuthServers[0].Addr. So at least in this code
there's a proper loop.
4. Added a nicer logging around "failed to join the cluster", where I
suggest to try --token flag when it's missing.
5. Fixed tests broken by other commits (unrelated to this)
Fixes#210
The problem was:
- Self-signed cert was also used as CA cert.
- This means a browser would add it to its list of CA certs.
- Then I'd delete /var/lib/teleport/*
- And a new CA would be created for the same name, confusing the browser
To fix:
- Certificate isn't marked as CA
- Org name is set to "Acme Co" instead of "Teleport"
Fixes#206
The idea:
- When creating client's TLS configuration, supply self-signed server
cert from /var/lib/teleport/.cert
This way if a user is connecting to a proxy running on localhost, he
doesn't need to specify --insecure flag.
1. `--name` setting is passed through into AuthServer as "AuthServiceName".
This will be used in UIs when there are multiple clusters, and also
in places like Google Authenticator
2. `tctl nodes ls` now lists both host name and host UUID
3. Changed `--name` setting to `--nodename` to be consistent with the
config file.
Closes#194
`web.SSHAgentLogin(proxyAddr string)` expects proxyAddr string to be a
URL, while everywhere else we address servers by host:port pair.
Because of that, `--proxy=host` sytax was broken.
Three changes:
- Sample configuration is no longer a dump of a string constant. It's
generated using the same data structure used for configuration
parsing. This guarantees that 'teleport configure' will always dump a
valid sample config file.
- Added a unit test which validates sample configuration and verifies
its correctness
- MakeSampleConfig() does not return an error anymore. It will
default to 'localhost' with error logged instead of failing. It
makes no sense to fail when generating an example. Also this makes
code cleaner.
This commit includes refactoring and cleanup of cert authority sybsystem:
* User keys methods are deleted
* Authorities CRUD is simplified
* Lots of code removed
Instead of providing a token per auth server, it's now one global token
for all.
Also added a check for unknown config values to the config file parsing
code.
Summary:
Sasha proposed to use the certificate principal instead of the host name
when establishing new SSH connections.
What I did:
Replaced `ReadKeys()` function in `auth/init.go` with `ReadIdentity()`
which, instead of a simple "key signer" returns a more comprehensive
structure called "Identity"
The structure has the `Cert` field which can be used to obtain "valid
principals".
The first principal is used as an SSH username, instead of the hostname
like before.
