gravitational · atburke · Feb 17, 2022 · Feb 1, 2022 · Feb 3, 2022 · Feb 5, 2022
diff --git a/api/client/proto/authservice.pb.go b/api/client/proto/authservice.pb.go
diff --git a/api/client/proto/authservice.proto b/api/client/proto/authservice.proto
@@ -364,6 +364,8 @@ message PingResponse {
     Features ServerFeatures = 3 [ (gogoproto.jsontag) = "server_features" ];
     // ProxyPublicAddr is the server's public proxy address.
     string ProxyPublicAddr = 4 [ (gogoproto.jsontag) = "proxy_public_addr" ];
+    // IsBoring signals whether or not the server was compiled with BoringCrypto.
+    bool IsBoring = 5 [ (gogoproto.jsontag) = "is_boring" ];
 }
 
 // Features are auth server features.

diff --git a/integration/integration_test.go b/integration/integration_test.go
@@ -3454,9 +3454,7 @@ func testAuditOff(t *testing.T, suite *integrationTestSuite) {
 	}
 
 	// audit log should have the fact that the session occurred recorded in it
-	sessions, err = site.GetSessions(apidefaults.Namespace)
-	require.NoError(t, err)
-	require.Len(t, sessions, 1)
+	// but the session could have been garbage collected at this point.
 
 	// however, attempts to read the actual sessions should fail because it was
 	// not actually recorded

diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
@@ -1510,6 +1510,7 @@ func (a *ServerWithRoles) Ping(ctx context.Context) (proto.PingResponse, error)
 		ServerVersion:   teleport.Version,
 		ServerFeatures:  modules.GetModules().Features().ToProto(),
 		ProxyPublicAddr: a.getProxyPublicAddr(),
+		IsBoring:        modules.GetModules().IsBoringBinary(),
 	}, nil
 }
 

diff --git a/lib/client/client.go b/lib/client/client.go
@@ -554,6 +554,16 @@ func (proxy *ProxyClient) NewWatcher(ctx context.Context, watch types.Watch) (ty
 	return watcher, nil
 }
 
+// isAuthBoring checks whether or not the auth server for the current cluster was compiled with BoringCrypto.
+func (proxy *ProxyClient) isAuthBoring(ctx context.Context) (bool, error) {
+	site, err := proxy.ConnectToCurrentCluster(ctx, false)
+	if err != nil {
+		return false, trace.Wrap(err)
+	}
+	resp, err := site.Ping(ctx)
+	return resp.IsBoring, trace.Wrap(err)
+}
+
 // FindServersByLabels returns list of the nodes which have labels exactly matching
 // the given label set.
 //

diff --git a/lib/client/session.go b/lib/client/session.go
@@ -78,6 +78,9 @@ type NodeSession struct {
 
 	terminal *terminal.Terminal
 
+	// shouldClearOnExit marks whether or not the terminal should be cleared
+	// when the session ends.
+	shouldClearOnExit bool
 	// clientXAuthEntry contains xauth data which provides
 	// access to the client's local XServer.
 	clientXAuthEntry *x11.XAuthEntry
@@ -156,13 +159,24 @@ func newSession(client *NodeClient,
 
 	ns.env[sshutils.SessionEnvVar] = string(ns.id)
 
+	// Determine if terminal should clear on exit.
+	ns.shouldClearOnExit = isFIPS()
+	if client.Proxy != nil {
+		boring, err := client.Proxy.isAuthBoring(context.TODO())
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		ns.shouldClearOnExit = ns.shouldClearOnExit || boring
+	}
+
 	// Close the Terminal when finished.
 	ns.closeWait.Add(1)
 	go func() {
 		defer ns.closeWait.Done()
 
 		<-ns.closer.C
-		if isFIPS() {
+
+		if ns.shouldClearOnExit {
 			if err := ns.terminal.Clear(); err != nil {
 				log.Warnf("Failed to clear screen: %v.", err)
 			}