`tsh proxy ssh` should use identities from `tsh ssh -A` prior to read from local files

[flybyray]

Description

 <laptop> |fw| [teleport_cluster] |adm_vlan| <jumphost{app}>
                             |
                             +--->|svc_vlan| <dbhost>

• this worked with the pre tls-routing tsh config
  • on laptop user tsh login
  • ssh -A jumphost access to special app(based on native-ssh) run in intranet behind(fw)
  • here the same pre tls-routing tsh config could be used with the identities forwarded from laptop
  • user executes app which access dbhost

this UX is not working with tls-routing enabled

• on jumphost the tsh config now uses tsh proxy ssh which tries to read identies from files on jumphost

question: is it technically possible to use the identities forwarded from laptop with tsh proxy ssh from jumphost?

What would you like Teleport to do?

Finish the tsh proxy ssh implementation to support the ssh ProxyCommand UX.

What problem does this solve?

tsh proxy ssh should provide same UX as native-ssh ProxyCommand reading ssh-agents identities and keys.

If a workaround exists, please include it.

one of the following helped:

• identities from laptop could be tsh scp'ed to the jumphost
• with v2 config explicit add the listen addresses to proxy service. the old native-ssh with forwarded agent ssh-config would work again

  version: v2
  # removed issue irrelevant config
  proxy_service:
  enabled: "yes"
  public_addr: teleport.example.com:3080
  listen_addr: 10.10.10.10:3023
  web_listen_addr: 10.10.10.10:3080
  tunnel_listen_addr: 10.10.10.10:3024
  # removed issue irrelevant config
  ...

In case this is more a bug then a feature the errors are

ssh -v -F /dev/null -p 3022 -o ProxyCommand="/usr/local/bin/tsh proxy ssh --debug -k yes --cluster=teleport.example.com --proxy=teleport.example.com %r@%h:%p" ndgit@anotherremote.example.com.teleport.example.com
...
DEBU [TSH]       Web proxy port was not set. Attempting to detect port number to use. tsh/tsh.go:3153
DEBU [TSH]       Resolving default proxy port (insecure: false) tsh/resolve_default_addr.go:110
DEBU [TSH]       Trying teleport.example.com:3080... tsh/resolve_default_addr.go:98
DEBU [TSH]       Address teleport.example.com:3080 succeeded. Selected as canonical proxy address tsh/resolve_default_addr.go:188
DEBU [TSH]       Waiting for all in-flight proxy address tests to finish tsh/resolve_default_addr.go:136
INFO [CLIENT]    No teleport login given. defaulting to user client/api.go:1428
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/tmp/teleport-1003912830/teleport-3227645.socket" client/api.go:3961
ERRO [KEYSTORE]  open /home/user/.tsh/keys/teleport.example.com/user: no such file or directory client/keystore.go:281
DEBU [CLIENT]    Activating relogin on ssh: handshake failed: open /home/user/.tsh/keys/teleport.example.com/user: no such file or directory. client/api.go:735
DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport.example.com:3080 client/api.go:3916
DEBU             Attempting GET teleport.example.com:3080/webapi/ping webclient/webclient.go:119
Enter password for Teleport user user:

ERROR REPORT:
Original Error: *errors.errorString underlying reader is not a terminal
...

References

• discussed on teleport-community slack
• GetKey function client/keystore.go:281

[Joerger]

Just happened upon this issue. This basically happens because when TLS routing is enabled, we need the TLS certificate in addition to the forwarded agent key to connect to the proxy.

This should be solved once https://github.com/gravitational/teleport/issues/1648 is complete, which we expect to land in a minor release of v12.