- Add --windows-logins flag to tctl users add command
- Support {{internal.windows_logins}} and external traits from IDP
This allows one to define a role allowing desktop access without
hard coding all allowed/denied Windows logins.
Updates #7761Fixes#8578
* Add RBAC for Windows desktop access
This commit adds RBAC checks for Windows Desktops as described in
RFD 33 and RFD 34:
- add Windows desktop logins & labels to role definition
- introduce new file config for host labels based on a regexp match
- auth server API performs access checking for Windows desktop resources
- add RDP client callback to authorize the user
- support user/role locks
- respect the client idle timeout setting
Note: in cases where an connection is terminated to to RBAC, the web UI
currently displays "websocket connection failed" because the connection
is closed from the server. We'll need to follow up with a nice error
message for the client side to improve the UX here.
Other changes:
* Remove OSS RBAC migration marked for deletion
* Stop creating a default admin role
* add wildcard desktop access to the preset access role
Updates #7761
* Publish Teleport CA to NTAuth store over LDAP
Also, refactor the LDAP client.
Also also, implement more missing scard ioctls.
* Address review comments
This is a collection of a few small changes related to user presentation of
WebAuthn/MFA in tsh. The intent is to make tsh language match ongoing Web UI
changes.
* Make use of preferred MFA in `tsh mfa add`
* Tweak prompt error message
Old:
ERROR: "U2F\n" is not a valid option, please specify one of [TOTP, WEBAUTHN]
New:
ERROR: "U2F" is not a valid option, please specify one of [TOTP, WEBAUTHN]
* Directly mention WebAuthn when prompting for challenges
* Fix typo on godoc
* Print devices sorted by name on `tsh mfa ls`
* Address origin validation TODOs
For registration and a few other use cases the original error is relayed
back to the client, so there is already a good indicator that it failed
due to origin woes.
For login we purposefully obsfucate errors. To address that I've added a
few debug-level server-side log statements; it seems best to not make
further changes in this case.
* Amend preferred device type logic
* Adjust PromptMFAChallenge message
* PIV authentication for RDP
This uncomfortably large change fully implements smartcard PIV
authentication for RDP clients using the Teleport CA:
- PIV applet implementation in emulated RDP smartcard
- generating Windows-compatible certificates using Teleport CA with a
dedicated RPC
- generating dummy CRLs for Teleport CA and publishing it via LDAP
The CRLs are required by Windows for any smartcard login certificate, we
can't avoid that. But we can avoid making it public: the CRL can live in
ActiveDirectory instead of a public endpoint of a Teleport service.
Here, we use LDAP to publish the CRL on startup, valid for a year.
There are a few unhandled cases in the current implementation:
- LDAP server certificate is not validated when upgrading to TLS
- multiple active CAs (with HSMs) are not supported, only one CRL is
published
- CA rotation is not supported, CRL is not re-published on rotation
All of the above issues will be handled in future PRs as this one is
already too large.
* Address review feedback
* Fix linter errors
Replaces the local device type in AddMFADeviceRequestInit for a global enum.
Useful for future RPCs.
* Add the DeviceType proto to Auth Service
* Generate protos
* Use new DeviceType in implementations
* Add support for `tsh ssh` on Windows
This adds Windows session support to tsh, taking advantage of ANSI
terminal support and VT emulation added in recent versions Windows
10. On supported Windows versions (Windows 10 1607+), `tsh ssh`
should work as expected in `cmd.exe`, PowerShell, and the new
Windows Terminal app.
* Address a few review comments
* Remove significant chunks of unnecessary tncon code.
Removes the global buffer, `GetVTSeqFromKeyStroke`, and several
ancillary headers and functions that aren't needed for our (current)
use-case. Also removes mouse and focus events.
* Refactor OS-specific terminal handling
This significantly simplifies OS-specific terminal behavior:
* Move OS specific terminal code into a new `terminal` package
* Remove `session_windows.go` in favor of an OS-independent
`session.go`, defer to terminal package for OS specific
functionality.
* Remove ConPTY since it's not needed.
* Always wait for the terminal and ssh session to fully close before
quitting.
* Refactor tncon; ensure the raw reader can be closed and reopened,
remove lots of unnecessary C code.
* Revert dependency changes
* Use WindowsOS constant.
* Fix `tsh play` on Windows
This fixes `tsh play` on Windows by using the new `terminal` module to
initialize the terminal for raw input in a cross-platform way.
Additionally, this simplifies `terminal.New()` since in practice we never
want interactive mode at init time, and fixes a broken unit test.
* Use correct log library
* Fix `tsh play` player controls on Windows
This fixes the console player controls on Windows as well as the timestamp
writer.
* Clean up lints
* Add missing license header
* Fix broken unit test
* Fix cross-compile builds on Linux/Docker
We need windows.h, which is not capitalized in the mingw packages
(and is case insensitive on Windows).
* Address code review feedback
- Rename `Terminal.InitInteractive` to `Terminal.InitRaw`
- Ensure goroutines terminate on close
- Fix outdated godoc comments
- Ensure Terminal event subscribers are cleared (and their channels
are closed)
- Ensure terminal output mode is reset on error in initTerminal
- Bubble up errors in Terminal.Close()
- Add author notice to tncon.c re: our changes
- Add go-ansiterm as a direct dependency
- Run `make update-vendor`
* Add constants and a small player.go TODO.
* Clear linter warning
This commit contains 2 changes:
1. Rename GenerateServerKeys to GenerateHostCerts.
This is a more accurate name and consistent with the existing
GenerateUserCerts endpoint.
2. Change the request type to include a single role, rather than a
list of roles. We only ever allowed a single role in the list
anyway, so this change will prevent future mis-use of the API.
Note: a side effect of this change is we now have two similar endpoints:
- GenerateHostCert: old API that generates SSH cert only
- GenerateHostCerts: a newer API that generates SSH and TLS certs
To avoid making this change too big, we'll aim to deprecate
GenerateHostCert in the future.
* Require that public TLS and SSH keys are provided to register via token
The original behavior attempted to make providing public keys optional,
and would generate keys if they were not provided. This had several
problems:
- The auth server is generating private keys for nodes and is
potentially able to share them over the network.
- The return value for keys.Key would sometimes be set and sometimes
be empty (the key is only set if the auth server generated it and
knows what the key is)
- We only ever relied on this behavior as a shortcut in test code.
In the production code this behavior was never used (and actually
never worked due to a bug that would overwrite and discard the
generated private key)
This commit requires that public keys are always provided, ensuring
that the private key is generated locally and never known by the
auth server.
It also results in a cleaner error message when either or both of the
public keys are missing from the request.
* Address review comments
* Fix tests that relied on certs being generated
* Generate Windows-compatible OpenSSH config in `tsh config`
This tweaks `tsh config` to generate OpenSSH config blocks compatible
with Windows. It works around several issues:
* Hosts must be translated from a full hostname (e.g.
`node.foo.example.com`) to a Teleport node name (`node`). On Unix
clients we can use a bash subshell snippet to extract the cluster
domain but this isn't possible on Windows. Instead, this adds a
hidden tsh subcommand (`tsh config-proxy`) to act as a
`ProxyCommand` that manipulates the strings as necessary.
* Windows does not have an ssh-agent enabled by default. This
configures `IdentityFile` and `CertificateFile` so no ssh-agent
is needed. This should also improve the experience for users
without a compatible ssh-agent (e.g. GNOME).
* Windows requires a full executable path in `ProxyCommand`
directives.
* Remove unnecessary conversion
* Use /usr/bin/ssh explicitly in `tsh config` template for Unix
* Remove special case for leaf clusters; always require a SiteName
* Apply suggestions from code review
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
* Pass through remote login name
This should improve compatibility with OIDC and other users with
federated Teleport usernames. The teleport proxy should always accept
a remote username for which the user's certificate is valid.
* Use `exec.LookPath` to resolve the ssh path
This prefers whichever `ssh` exists on the PATH for all OSes. After some
testing, Git for Windows SSH works just as well as Microsoft's, so we don't
need to overspecify things.
Also, quotes the tsh.exe path in generated config. Git for Windows' ssh
didn't autoescape the Windows paths.
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
Introduce new make targets to check and add license headers to files
("make lint-license" and "make fix-license"). License checking is now a part of
"make lint" as well.
Initial attempts used goheader, but it caused "make lint-go" to become about 9x
slower (if not more), plus it only targets go files. Google's addlicense is fast
enough and targets however many file types we want.
Existing files that were missing licenses got the header added, using the
current year as the license date.
* Introduce lint-license and fix-license make targets
* Ignore generated files
* Add license to go files
* Replace irregular licenses with standard copyright/license
* Add license to proto files
* Install addlicense in build.assets Dockerfile
Created an access tester for troubleshooting access related issues with Teleport RBAC system. This access tester allows admins to answer questions like:
Can user alice SSH into a node node-1 as root?
If not, which role(-s) prevents access?
Which roles allow access to production as login admin?
Boilerplate for a new service and API objects:
- windows_desktop_service config section
- service registration and heartbeats
- static host registration and heartbeats
- caching, permissions, etc
- "tctl get" support
For new connections the service aborts after authentication, since the
RDP client implementation is not ready yet (pending in
https://github.com/gravitational/teleport/pull/7824).
Tested that the service starts, registers (both over a tunnel and
directly) and creates the API objects.
