use configured algorithms for dynamic SSH host certs

[nklaassen]

This PR updates the SSH host keys/certs generated in lib/reversetunnel/cache.go to use the new configurable key algorithms described in RFD 136.

To support this change, we need to stop writing a static list of supported HostKeyAlgorithms that excludes Ed25519 and ECDSA host certs into our generated OpenSSH config files. The defaults in recent OpenSSH versions are pretty good - we were actually making them unsafe by always including [email protected].

We have been specifically including HostKeyAlgorithms [email protected] because OpenSSH disabled it by default before Go added server-side support for the newer SHA-2 based hashes. It seems safe to remove the entire HostKeyAlgorithms line in tsh v17:

• with tsh v17 the oldest proxy you should be dialing is also v17, which definitely supports the new RSA SHA-2 algorithms
• All OpenSSH clients should be able to dial to a Teleport proxy without any HostKeyAlgorithms line:
  • newer OpenSSH clients can use a newer algorithm (RSA with SHA-2, or Ed25519, or ECDSA)
  • older OpenSSH clients can continue to use [email protected] by default if the cluster uses the legacy algorithm suite
• very old OpenSSH clients may not be able to connect to a Teleport SSH server using a newer signature algorithm suite. These would have to be quite old, Ed25519 and ECDSA support have been around longer than RSA with SHA-2 support. Users on these ancient versions will need to update OpenSSH or use the legacy signature algorithm suite in their cluster.

changelog: Removed HostKeyAlgorithms from generated OpenSSH config files

[nklaassen]

@jakule do I need to keep the HostKeyAlgorithms line around for some third party lib? If so could I add to the defaults with + instead of overwriting them? #16912 (comment)

[nklaassen]

@strideynet confirming, am I good to delete this for 17?

[strideynet]

Yup - all good to delete :)

[jakule]

@jakule do I need to keep the HostKeyAlgorithms line around for some third party lib? If so could I add to the defaults with + instead of overwriting them? #16912 (comment)

This line was needed to make Teleport in Proxy recording more work nicely with OpenSSH 7.4 (default in CentOS 7). I'm not sure if we care about the Proxy recording mode anymore since we replace it with agentless. Since then also Go crypto added a few patches to be compatible with older buggy OpenSSH.

The bottom line is, I'm not sure. I'd be very happy to remove it, but we can still break some compatibility.

[nklaassen]

@jakule do I need to keep the HostKeyAlgorithms line around for some third party lib? If so could I add to the defaults with + instead of overwriting them? #16912 (comment)

This line was needed to make Teleport in Proxy recording more work nicely with OpenSSH 7.4 (default in CentOS 7). I'm not sure if we care about the Proxy recording mode anymore since we replace it with agentless. Since then also Go crypto added a few patches to be compatible with older buggy OpenSSH.

The bottom line is, I'm not sure. I'd be very happy to remove it, but we can still break some compatibility.

I think agentless is probably equivalent to proxy recording mode here since it's still terminating the incoming SSH connection at the proxy. But yeah with those crypto/ssh patches to support the buggy SSH clients I think it will work now without the HostKeyAlgorithms line. Hopefully people are using a recent proxy with those patches if they are using tsh v17 (and i think we enforce that now). I'll try to find some time to test this out with an openssh7.4 client to confirm

[nklaassen]

I have switched to lazily starting the RSA key precomputation where we actually generate keys for web sessions or proxy-recorded sesssions/agentless sessions. It will now only start the first time we generate an RSA key, which will be never for the newer algorithm suites and should be acceptable even when using the legacy suite. Importantly, most tests will now never start the RSA key precomputation which will be a huge win for saving CPU time.

[rosstimothy]

This specific check was added to prevent agents from precomputing keys(#14021). Do the changes made here limit lazy precomputing of keys to auth and proxy as well?

[nklaassen]

yes, because now we exclusively start the key precomputation closer to where the keys are actually needed, in newWebSession or generateHostCert, which will only be called on auth or proxy

[nklaassen]

@rosstimothy can I get an ExcludeFlake for TestTSHConfigConnectWithOpenSSHClient which is a ~16s test. It's getting slightly faster with the combination of my currently open PRs eliminating RSA but it's still slow for a few reasons:

• calling out to OpenSSH is slow (for some reason it takes a while to exit after the command completes)
• can't parallelize the subtests because they create a cluster with different session recording and networking configs, and each test needs to login and have tsh called via openssh pick up the right TELEPORT_HOME

[rosstimothy]

/excludeflake TestTSHConfigConnectWithOpenSSHClient