gravitational / docs

Source code backing goteleport.com/docs
https://goteleport.com/docs
Apache License 2.0
11 stars 13 forks source link

Document the potential security issue that a certificate issued for root cluster can be used to connect to leaf #379

Closed lsgunn-teleport closed 1 year ago

lsgunn-teleport commented 1 year ago

Certificate issued for root cluster can be used to connect to leaf

Short description Certificate issued for root cluster can be used to connect directly to leaf effectively allowing to bypass possible cluster_labels authz restictions.

Current behavior Have a root (root.gravitational.io in my case) and a leaf (leaf.gravitational.io) clusters. Assign labels to the leaf cluster e.g. tctl update rc/leaf --set-labels=env=prod. Keep cluster_labels in your root user role empty. Log into root cluster and make sure you can't see leaf and and tsh login leaf correctly fails: ➜ e git:(7638f9c) tsh clusters Cluster Name Status Cluster Type Selected


root online root *

➜ e git:(7638f9c) tsh login leaf ERROR: remote cluster "leaf" not found Have the following SSH config that connects directly to leaf proxy and uses proxy subsystem: ➜ e git:(7638f9c) cat ~/.ssh/jump Host *.leaf.gravitational.io HostName %h Port 4022 StrictHostKeyChecking no ProxyCommand ssh -p 4023 %r@leaf.gravitational.io -s proxy:%h:%p@leaf Try connecting with ssh and it will succeed: ➜ e git:(7638f9c) ssh -F ~/.ssh/jump root@mbp.leaf.gravitational.io Romans-MacBook-Pro:~ root# We were able to connect to the leaf cluster node using the certificate issued for root effectively bypassing cluster_labels RBAC. Note that leaf's role mapping is still respected which is at least some silver lining.

Expected behavior I think a cluster should reject the certificate that was not issued specifically for it (i.e. with tsh login )?

Preliminary investigation It looks like RouteToCluster certificate property is not checked in authhandlers.go so the cluster does not verify that the client is connecting with certificate issued for this specific cluster. The certificate itself is accepted because it is signed by root's CA which the leaf trusts.

We may need to add something like this in the canLoginWithRBAC method:

routeToCluster, ok := cert.Extensions[teleport.CertExtensionTeleportRouteToCluster] if !ok || routeToCluster != clusterName { return trace.AccessDenied("certificate was issued for cluster %q", routeToCluster) }

lsgunn-teleport commented 1 year ago

Hyper-focused PR about this issue https://github.com/gravitational/teleport/pull/31258