Source IP address restrictions

[programmerq]

What

Teleport should have the ability to take ip address information into account.

A user, role, or individual user certificate could have ip address information associated with it.

This could mean that for a given login attempt, the source ip must align with the ip address whitelist or blacklist rules associated with the user and the roles that user has. The resulting identity certificate would include the source ip that did the login.

Additionally, the user may want to restrict the ip addresses that a given teleport certificate is allowed to be used from for a specific session. For example, something like tsh login --user foo --proxy teleport.example.com --ip-whitelist=10.0.12.0/24,192.168.1.14. So if that certificate is used with a source ip of anything but a matching ip block, teleport would deny it. A shortcut to pin a certificate to the same source ip would also be handy.

How

• Users and roles would need their yaml to be extended to include ip address whitelist/blacklist options.
• The certificate signing processes via tsh and tctl would need to be updated to be able to handle source ip information on a cert. tctl would need the ability to manually specify source ip information, if desired.
• certificates with source ip information can also specify that the source ip should be enforced by teleport to be the same.
• Teleport should log attempts to authenticate with a certificate that doesn't match the specified source ip information.

Why

This will help limit blast radius if tsh credentials or other teleport certificates are copied to another system.

Workaround

There is not a clean workaround. In theory, you could lock down access to the entire teleport service with a firewall rule, but not per user/host/cert.

[zmb3]

Partially addressed by #12345

[reedloden]

Partially addressed by #12345

https://github.com/gravitational/teleport/pull/13243 replaced this.

[pschisa]

similar to https://github.com/gravitational/teleport/issues/5971