Predicate will not embed linux principals in the login list anymore, because it's not always possible to evaluate beforehand. Not all information is available, at the time the cert is issued. For example node labels could change, and change the list of principals allowed for the node.
This is not a problem for Teleport's SSH nodes. This is a problem for OpenSSH that needs to see the list of principals in the cert.
For OpenSSH compatibility Teleport can terminate SSH (just like it's doing now) and instead of forwarding agent, re-issue a cert for each connection (just like it's doing for K8s).
Predicate will not embed linux principals in the login list anymore, because it's not always possible to evaluate beforehand. Not all information is available, at the time the cert is issued. For example node labels could change, and change the list of principals allowed for the node.
This is not a problem for Teleport's SSH nodes. This is a problem for OpenSSH that needs to see the list of principals in the cert.
For OpenSSH compatibility Teleport can terminate SSH (just like it's doing now) and instead of forwarding agent, re-issue a cert for each connection (just like it's doing for K8s).
Push this implementation for end of Q1 in 2023.