search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.33k stars 1.74k forks source link

OpenSSH Compatibility with Teleport #10239

Open gwellington opened 2 years ago

gwellington commented 2 years ago

Description

What happened: When using OpenSSH (OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021), SSH fails to proxy via the Teleport proxy server with the following error:

UpdateHostkeys is disabled because the host key is not trusted.
gwellington@teleport.proxy.com: Permission denied (publickey).

When using a non-OpenSSL/older version (OpenSSH_8.1p1, LibreSSL 2.7.3) of SSH, everything connects fine.

What you expected to happen: Teleport to support multiple version of OpenSSH versions.

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

  1. brew install openssh
  2. ssh -o "ProxyCommand ssh -o StrictHostKeyChecking=no -p 3023 teleport.proxy.com -s proxy:%h:%p" -i ssh-key user@address
  3. Receive error

Server Details

Client Details

Debug Logs

Please include or attach debug logs, when appropriate. Obfuscate sensitive information!

 gwellington  ~  ssh -vvv -o "ProxyCommand ssh -o StrictHostKeyChecking=no -p 3023 teleport.proxy.com -s proxy:%h:%p" -i ~/Downloads/key user@address
OpenSSH_8.8p1, OpenSSL 1.1.1m  14 Dec 2021
debug1: Reading configuration data /Users/gwellington/.ssh/config
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 0.0.0.0 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/gwellington/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/gwellington/.ssh/known_hosts2'
debug1: Executing proxy command: exec ssh -o StrictHostKeyChecking=no -p 3023 teleport.proxy.com -s proxy:1.1.1.1:22
debug1: identity file /Users/gwellington/Downloads/key type 0
debug1: identity file /Users/gwellington/Downloads/key type -1
debug1: Local version string SSH-2.0-OpenSSH_8.8
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:merp.
Please contact your system administrator.
Add correct host key in /Users/gwellington/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/gwellington/.ssh/known_hosts:2
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
UpdateHostkeys is disabled because the host key is not trusted.
gwellington@teleport.proxy.com: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
marcoandredinis commented 2 years ago

There's a workaround for this: we can either add the flag -oPubkeyAcceptedAlgorithms=+ssh-rsa-cert-v01@openssh.com to the ssh command or to its config as described here: https://github.com/gravitational/teleport/issues/10918

zmb3 commented 1 year ago

@jakule is this still an issue?

jakule commented 1 year ago

@jakule is this still an issue?

I'll retest on Tuesday and let you know.

zmb3 commented 1 year ago

Tested today and appears to still be an issue.

jakule commented 1 year ago

CC @r0mant

jakule commented 1 year ago

@zmb3 Can you share more details about the environment you were testing "today"?

fghamsary commented 1 year ago

The compatibility with newer type of certificates should be implemented if not yet done, and if it's done clearly point on documentation how can we change the server or client configuration to use newer version of certificates and not obsolete RSA-CERT please.