search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
16.99k stars 1.71k forks source link

`tsh ssh <user>@` produces browser login URL with error. #17297

Open Valien opened 1 year ago

Valien commented 1 year ago

Expected behavior:

Not sure that Teleport is supposed to do this. It should probably return a friendly message due to the incomplete tsh ssh command being run but somehow is not capturing that and routing to a login screen instead.

Current behavior:

Running a tsh ssh <user>@ while logged into a Teleport cluster will generate a new login URL and open your default browser to authenticate in. It will then return back to the CLI with an error message (and updated certificate I think).

Sequence of messages:

> tsh logout
Logged out all users from all proxies.
> tsh ssh ubuntu@
ERROR: No proxy address specified, missed --proxy flag?

This is expected behaviour as we've not logged in or defined anything to login.

> tsh login --user=Valien --auth=github --proxy=<SERVER>.teleport.sh:443
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:51421/e3fdfa40-4ca7-4022-9b60-95d237589a37
> Profile URL:        https://<SERVER>.teleport.sh:443
  Logged in as:       Valien
  Cluster:            <SERVER>.teleport.sh
  Roles:              admin, dbaccess, developers, sre, windows-desktop-admins
  Logins:             Valien, pi, ubuntu, ec2-user, -teleport-internal-join
  Kubernetes:         enabled
  Kubernetes cluster: "gcp-k8s-c1"
  Kubernetes groups:  admin, system:masters
  Valid until:        2022-10-11 22:15:40 -0400 EDT [valid for 8h0m0s]
  Extensions:         permit-agent-forwarding, permit-port-forwarding, permit-pty

All is well.

> tsh ssh ubuntu@
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:51438/ba2b8d6e-db32-4fc8-9175-e05d7771c8b0
ERROR: unknown Target <nil>
 ~

Browser returns a successful login but then drops to this error. Teleport audit logs show a new cert being generated as well.

Screen Shot 2022-10-10 at 2 58 15 PM

Bug details:

  1. tsh login via CLI
  2. Run tsh ssh ubuntu@ and hit enter
  3. Browser opens up and logins and then returns an error
webvictim commented 1 year ago

This might be related to https://github.com/gravitational/teleport/issues/26946

zmb3 commented 3 weeks ago

In modern times the error is a bit different, but we can still clean this up:

➜ tsh login --auth=github --proxy=example.com
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:61352/7ab38508-7545-4777-9e7d-0ad5a8503234
> ...

➜ tsh ssh ubuntu@
ERROR: failed connecting to host :0: failed to receive cluster details response
        rpc error: code = Unknown desc = failed to dial target host
        cannot route to empty target host