Open hakontonne opened 1 year ago
As per this community slack thread, the problem is in tsh proxy ssh
misbehaving with a username that includes backslashes (as it would be necessary for netbios-prefixed usernames).
Have verified that running the command also prompts for password:
$ /opt/homebrew/bin/tsh proxy ssh --cluster=teleport.xxx.xx --proxy=teleport.xxx.xx NETBIOS_PREFIX\martin@jasonbourne.teleport.xxxx.xx:3022
# Outputs
Enter password for Teleport user martin_dev:
Does tsh proxy ssh
support providing the login via -l
?
tsh proxy ssh --cluster=teleport.xx.xx --proxy=teleport.xx.xx -l "NETBIOS_PREFIX\martin" jasonbourne.teleport.xx.xx:3022
It also might be possible to do:
TELEPORT_USER="NETBIOS_PREFIX\martin" tsh proxy ssh --cluster=teleport.xx.xx --proxy=teleport.xx.xx jasonbourne.teleport.xx.xx:3022
The code that splits user@host
in tsh
is... interesting so providing the username explicitly via some other method is likely to work better.
@webvictim that results in a "SSH-2.0-Teleport" line in response!
$ tsh proxy ssh --cluster=teleport.xx.xx --proxy=teleport.xx.xx -l "Machine1\user" alice.teleport.xx.xx:3022
SSH-2.0-Teleport
Altering the proxy command in the config to
# Flags for all teleport.xx.xx hosts except the proxy
Host *.teleport.xx.xx !teleport.xx.xx
Port 3022
ProxyCommand /opt/homebrew/bin/tsh proxy ssh --cluster=teleport.xx.xx --proxy=teleport.xx.xx -l "%r" %h:%p
# End generated Teleport configuration
Changed proxy command from /opt/homebrew/bin/tsh proxy ssh --cluster=teleport.xx.xx --proxy=teleport.xx.xx %r@%h:%p
So current workaround is to specify the -l
flag in the porxy command config and seperate + surround the %r
in double quotes.
We should probably do that in tsh config
, I don't see any drawbacks. I wonder if it's even a tsh proxy ssh
issue instead of just a shell quoting issue in ~/.ssh/config
. 🤔
@espadolini I can create a PR for that, seems like its just changing the string for the SSH config template in openssh.go
file.
Now have a working version of tsh
that gives the following:
./tsh config --proxy teleport.xx.xx
# Begin generated Teleport configuration for teleport.xx.xx by tsh
# Common flags for all teleport.xx.xx hosts
Host *.teleport.xx.xx teleport.xx.xx
UserKnownHostsFile "/Users/user/.tsh/known_hosts"
IdentityFile "/Users/user/.tsh/keys/teleport.xx.xx/teleport_user"
CertificateFile "/Users/user/.tsh/keys/teleport.xx.xx/teleport_user-ssh/teleport.xx.xx-cert.pub"
PubkeyAcceptedAlgorithms +ssh-rsa-cert-v01@openssh.com
HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com
# Flags for all teleport.xx.xx hosts except the proxy
Host *.teleport.xx.xx !teleport.xx.xx
Port 3022
ProxyCommand "/Users/user/GolandProjects/teleport/build/tsh" proxy ssh --cluster=teleport.xx.xx --proxy=teleport.xx.xx -l "%r" %h:%p
# End generated Teleport configuration
PR is here: https://github.com/gravitational/teleport/pull/18447
We should probably do that in
tsh config
, I don't see any drawbacks.
Agreed, it'll also enable easier support of usernames containing @ signs.
@espadolini Be aware, we found a bug with VS Code, where whenever VS Code edits and saves the .ssh/config file itself (through the "Add New SSH host" dialog), it removes double quotes and breaks this until you manually edits the SSH config again.
I'll raise this with the VS Code and I can have a look and see if we can use the single quotes instead.
Expected behavior:
Connecting to a host using the
ssh
command with a username that contains a backslash should work just as using thetsh ssh
command.ssh machineid\\user@hostname.cluster.domain.com
should work the same waytsh ssh machineid\\user@hostname
does.Current behavior:
Calling
ssh machineid\\user@hostname.cluster.domain.com
results in the following message:Calling
tsh ssh machineid\\user@hostname
works fine, also callingssh machineid\\user@hostname
works fine, its when going through the cluster that this bug appears.While backslashes in usernames are not recommended, its completely possible and Teleport should support it, if it wants true 1 to 1 compatibility with ssh.
Also this bug appeared when deploying Teleport to access Amazon Workspace machines, where users are generated by the system with backslashes in them and access through the SSH command is required to get VS Code support.
Bug details:
Teleport v11.0.1 git: go1.19.2 Proxy version: 11.0.1
Assuming fresh host:
useradd -m -g sudo 'Machine1\user'
sudo tctl get users/dev_user > dev_user.yaml
and then update..ssh/config
is updated with the auto-generated config fromtsh config --proxy proxy.foo.example.com
ssh machineid\\user@hostname.cluster.domain.com
Doing
tsh ssh machineid\\user@hostname
should work just fine from the same client.ssh -v
I'll be happy to contribute to this issue.