trusted cluster login followed by `tsh config` makes incorrect ssh config

[GavinFrazar]

Expected behavior: tsh config should generate a config file that properly configures ssh client certificate file

Current behavior: When logged into a leaf cluster, my ssh cert is at keys/<root-proxy>/gavin-ssh/<leaf-cluster>-cert.pub but tsh config specifies CertificateFile: "...*snip*.../<root-cluster>-cert.pub" in the ssh config it generates for leaf cluster hosts.

Example:

$ tsh login --proxy=saturn.teleportdemo.net --user=gavin jupiter            (base) 
Enter password for Teleport user gavin:
Tap any security key
Detected security key tap
> Profile URL:        https://saturn.teleportdemo.net:443
  Logged in as:       gavin
  Cluster:            jupiter
  Roles:              access, auditor, editor
  Logins:             ubuntu, gavin
  Kubernetes:         enabled
  Valid until:        2023-04-22 04:42:42 -0700 PDT [valid for 12h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

[I] [16:42:43] gavin@mac ~/.ssh  
$ tree ~/.tsh/keys/saturn.teleportdemo.net/                                 (base) 
/Users/gavin/.tsh/keys/saturn.teleportdemo.net/
├── cas
│   ├── jupiter.pem
│   └── saturn.pem
├── certs.pem
├── gavin
├── gavin-ssh
│   └── jupiter-cert.pub
├── gavin-x509.pem
└── gavin.pub

3 directories, 7 files
[I] [16:42:51] gavin@mac ~/.ssh  
$ tsh config                                                                (base) 
# Begin generated Teleport configuration for saturn.teleportdemo.net by tsh

# Common flags for all saturn hosts
Host *.saturn saturn.teleportdemo.net
    UserKnownHostsFile "/Users/gavin/.tsh/known_hosts"
    IdentityFile "/Users/gavin/.tsh/keys/saturn.teleportdemo.net/gavin"
    CertificateFile "/Users/gavin/.tsh/keys/saturn.teleportdemo.net/gavin-ssh/saturn-cert.pub"
    HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com

# Flags for all saturn hosts except the proxy
Host *.saturn !saturn.teleportdemo.net
    Port 3022
    ProxyCommand "/usr/local/bin/tsh" proxy ssh --cluster=saturn --proxy=saturn.teleportdemo.net %r@%h:%p
# Common flags for all jupiter hosts
Host *.jupiter saturn.teleportdemo.net
    UserKnownHostsFile "/Users/gavin/.tsh/known_hosts"
    IdentityFile "/Users/gavin/.tsh/keys/saturn.teleportdemo.net/gavin"
    CertificateFile "/Users/gavin/.tsh/keys/saturn.teleportdemo.net/gavin-ssh/saturn-cert.pub"
    HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com

# Flags for all jupiter hosts except the proxy
Host *.jupiter !saturn.teleportdemo.net
    Port 3022
    ProxyCommand "/usr/local/bin/tsh" proxy ssh --cluster=jupiter --proxy=saturn.teleportdemo.net %r@%h:%p

# End generated Teleport configuration

Bug details:

• Teleport version: v13.0.0-alpha.1

[r0mant]

I don't think this is a regression or an issue, we always connect to the root proxy and "tsh proxy ssh" requests a proxy subsystem that routes the connection to the correct cluster. Previous versions (v9-v12) generate the same config.

Closing as working as designed.