search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.29k stars 1.73k forks source link

sshuttle cannot be used with tsh #18453

Open devicenull opened 1 year ago

devicenull commented 1 year ago

https://github.com/sshuttle/sshuttle/issues/599

This client app expects the standard ssh behavior of a -- indicating the end of an argument list, preventing anything past it from being interpreted by the client as arguments.

This can be found in the openssh source here: https://github.com/openssh/openssh-portable/blob/ca98d3f8c64cfc51af81e1b01c36a919d5947ec2/ssh.c#L1062

Currently, if I try to use this with tsh, I get a weird bash error.

Expected behavior:

Using a -- in the command line should be supported

Current behavior:

$ tsh ssh root@test -- ls
/bin/bash: --: invalid option
Usage:  /bin/bash [GNU long option] [option] ...
        /bin/bash [GNU long option] [option] script-file ...
GNU long options:
        --debug
        --debugger
        --dump-po-strings
        --dump-strings
        --help
        --init-file
        --login
        --noediting
        --noprofile
        --norc
        --posix
        --pretty-print
        --rcfile
        --restricted
        --verbose
        --version
Shell options:
        -ilrsD or -c command or -O shopt_option         (invocation only)
        -abefhkmnptuvxBCHP or -o option
ERROR: Process exited with status 2

Bug details:

I didn't provide debug logs here since I don't think they're really going to be relevant

StephenTan-TW commented 1 year ago

Yes - please can we fix this. I've implemented a hack in sshuttle where I just remove the "--" which I feel is the wrong thing to do

sinh-tran-ts commented 11 months ago

Add config ssh tsh config >> ~/.ssh/config Example Add end of line:

Host gcp-cloud-*
    Port 3022
    ProxyCommand "/usr/local/bin/tsh" proxy ssh --cluster=teleport.local --proxy=teleport.local:443 %r@%h:%p
Host gcp-cloud-compute01
   User centos
Host gcp-cloud-compute02
   User centos

Run ssh sshuttle -e "ssh" -l 0.0.0.0 -vr gcp-cloud-compute01 10.x.x.0/24

StephenTan-TW commented 11 months ago

Add config ssh tsh config >> ~/.ssh/config Example Add end of line:

Host gcp-cloud-*
    Port 3022
    ProxyCommand "/usr/local/bin/tsh" proxy ssh --cluster=teleport.local --proxy=teleport.local:443 %r@%h:%p
Host gcp-cloud-compute01
   User centos
Host gcp-cloud-compute02
   User centos

Run ssh sshuttle -e "ssh" -l 0.0.0.0 -vr gcp-cloud-compute01 10.x.x.0/24

Oh, interesting - will try that - thank you

ns-sjorgedeaguiar commented 2 months ago

@devicenull @webvictim hey guys, I'm willing to work on this issue. However I was looking for some advice on the feasibility and shortcomings. Also is this a fix you’re willing to accept? Thanks

edit: I've opened sshuttle/sshuttle#974 as well to try to address on their end, but it would be great if tsh handled the delimiters.

ns-sjorgedeaguiar commented 2 months ago

Also this seems to be a dup of #16589

webvictim commented 2 months ago

@ns-sjorgedeaguiar I agree it'd be nice if tsh handled delimiters. We would likely accept a PR which fixes this issue in tsh ssh itself, as long as it adds comprehensive test coverage to make sure this doesn't affect other use cases and prevent future regressions.

devicenull commented 2 months ago

@devicenull @webvictim hey guys, I'm willing to work on this issue. However I was looking for some advice on the feasibility and shortcomings. Also is this a fix you’re willing to accept? Thanks

edit: I've opened sshuttle/sshuttle#974 as well to try to address on their end, but it would be great if tsh handled the delimiters.

I no longer work at a place that uses teleport.