Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix TLS Routing jumphost flow #11282

Merged
merged 11 commits into from
Mar 28, 2022
Merged

Fix TLS Routing jumphost flow #11282

merged 11 commits into from
Mar 28, 2022

Conversation

smallinsky
Copy link
Contributor

@smallinsky smallinsky commented Mar 21, 2022
edited
Loading

Issue: #11271

What

TLS Routing broke JumpHost access in case where leaf cluster is used as JumpHost. The JumpHost address is not properly propagated to makeProxySSHClient function call and alway root cluster is used.

How

Fix JumpHost address propagation. Also added support for case where JumpHost is set to Teleport proxy web port and proxy support TLS Routing.

@smallinsky smallinsky requested a review from r0mant March 21, 2022 14:35
@smallinsky smallinsky marked this pull request as ready for review March 21, 2022 17:44
@github-actions github-actions bot requested review from jakule and timothyb89 March 21, 2022 17:44
@github-actions github-actions bot added the tsh tsh - Teleport's command line tool for logging into nodes running Teleport. label Mar 21, 2022
r0mant
r0mant approved these changes Mar 22, 2022
View reviewed changes
lib/client/api.go Outdated Show resolved Hide resolved
lib/client/api.go Outdated Show resolved Hide resolved
lib/client/api.go Outdated Show resolved Hide resolved
r0mant
r0mant reviewed Mar 22, 2022
View reviewed changes
Copy link
Collaborator

@r0mant r0mant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@smallinsky Can you also make sure it works with ssh -J before merging?

jakule
jakule approved these changes Mar 22, 2022
View reviewed changes
tool/tsh/proxy_test.go
@@ -166,6 +174,57 @@ func testLeafClusterSSHAccess(t *testing.T, s *suite) {
require.NoError(t, err)
}

func testJumpHostSSHAccess(t *testing.T, s *suite) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think converting this test cases to a test table would make this test easier to understand.

tool/tsh/proxy_test.go Outdated Show resolved Hide resolved
lib/client/api.go
// Check if JumpHost address is a proxy web address.
resp, err := webclient.Find(ctx, sshProxyAddr, tc.InsecureSkipVerify, nil)
// If JumpHost address is a proxy web port and proxy supports TLSRouting dial proxy with TLSWrapper.
if err == nil && resp.Proxy.TLSRoutingEnabled {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if the error is returned here? Shouldn't be returned instead of "ignored"?

Copy link
Contributor Author

@smallinsky smallinsky Mar 22, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is on purpose if the call err != nil it means sshProxyAddr is not proxy web service flow should proceed with standard dialer.

@smallinsky
Copy link
Contributor Author

Tested it manually both following cases works:

  • jump host as left teleport proxy ssh port:
tsh ssh -J leaf.ice-berg.dev:33023 leafnode
  • TLS Routing enabled when leaf WebPort can be as jump host:
tsh ssh -J leaf.ice-berg.dev:33080 leafnode

@smallinsky smallinsky force-pushed the smallinsky/fix-tls-routing-jumphost branch from ef0006a to fa0e61a Compare March 25, 2022 15:40
@smallinsky smallinsky merged commit 9e1b887 into master Mar 28, 2022
@smallinsky smallinsky deleted the smallinsky/fix-tls-routing-jumphost branch March 28, 2022 10:31
smallinsky added a commit that referenced this pull request Mar 28, 2022
@smallinsky
Fix TLS Routing jumphost flow (#11282)
efd7142
smallinsky added a commit that referenced this pull request Mar 28, 2022
@smallinsky
Fix TLS Routing jumphost flow (#11282)
a8b31b8
This was referenced Mar 28, 2022
Merged
Merged
smallinsky added a commit that referenced this pull request Mar 28, 2022
@smallinsky
Fix TLS Routing jumphost flow (#11282) (#11496)
87447e7
smallinsky added a commit that referenced this pull request Mar 29, 2022
@smallinsky
Fix TLS Routing jumphost flow (#11282) (#11497)
db9dd5d
@webvictim webvictim mentioned this pull request Apr 19, 2022
Closed
@webvictim webvictim mentioned this pull request Jun 8, 2022
Closed
@Joerger Joerger mentioned this pull request Jun 16, 2022
Closed
@smallinsky smallinsky mentioned this pull request Jun 23, 2022
Merged
@alexatcanva alexatcanva mentioned this pull request Oct 13, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r0mant r0mant r0mant approved these changes

@jakule jakule jakule approved these changes

@timothyb89 timothyb89 Awaiting requested review from timothyb89

Assignees
No one assigned
Labels
tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@smallinsky @r0mant @jakule