Teleport Connect not filtering SSH users like Web UI

[stevenGravy]

Expected behavior:

The list of users for SSH servers only include the applicable users

Current behavior:

All users can show when applying a Access Request.

Web UI

Same Access Request applied in Teleport Connect:

Bug details:

• Teleport version: 12.1.2
• Recreation steps

Create a Acess request to another role with different users.
Request and be granted that access request.
Apply within Teleport Connect.
Note that you will see both the original certificate login users and the access request applied cert logins.

Related issues:

• Web UI
  • Label-Specific Login options for multi-role users #6822
  • Add sshLogins to nodes endpoint on webapi (GET /nodes) #13266
  • Show node specific ssh logins options webapps#873
• Connect
  • https://github.com/gravitational/teleport.e/issues/871

[ravicious]

I just tried to address this while fixing pagination (#42501). It's entirely doable as it's mostly a matter of extracting calculateSSHLogins to lib/client and changing it so that it accepts localLogins []string instead of a tlsca.Identity.

However, constructing all arguments this function accepts and the dependencies of those arguments requires adding a bunch of new methods. It's like a day of work, but I just don't have the time for that at the moment.

[webvictim]

+1 for this, just noticed it again on 16.1.7. Quite disconcerting - I thought I had an error in my role until I went and checked the web UI to compare.