search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.64k stars 1.76k forks source link

Host identification has changed. #2843

Closed benarent closed 1 year ago

benarent commented 5 years ago

What happened: When setting up Teleport, you can get a warning message that the host identification has changed. While many online suggestions suggest removing the server from known hosts. This is a bit of a hack and doesn't really solve the underlying issue. 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!

Problem.

To solve this, users of the TSH/ OpenSSH client needs to add the authentication server to

  1. Login to Authentication Server.
  2. Run tctl auth export --type=host This will explore the cert authority, that'll need to be copied into ~/.ssh/known_hosts

BUG Note: that the cert-authority host defaults to the node name. This should match to the domain for the host. e.g. for teleport.practice.io, it should be *.practice.io If I was just using a test AWS ELB, I would have to use something like practice-proxy-fdsfds34.elb.us-west-2.amazonaws.com I would have to use *.elb.us-west-2.amazonaws.com 

@cert-authority *.graviton-auth ssh-rsa AAA9VODUK/QxxxgnMmNs8bL21sohrG3y405cWG+0XaJ9sKYxFDyoHO3efp+vgKZX+l/DG3R9+gWwU6/PYT6ioL30rfJjp/R+tT7pF7Ri5m4X7t/O9f0c+Ej9/4dR8aOVMm6bhFWmRY/SupW4eT0sHAvD7xxb34ot6k8ZZqoflFKM1wQ/ZKIUDs6pTeLobdWC6arj1SahpZxHWH9T7DJC/lWmtr5b36mgLFCnBByIJ6cjYLg3qkgk+iqaQHoBudNLDQABAAABAQADAAAAE2cy1CazN3BAz+R type=host

^ above default to nodename, should be a wildcard on the proxy domain.

What you expected to happen:

We should make it clear how the certificate authority works, maybe pull in the DNS and information about SSH principals.

We could also provide the @cert-authority via the UI for end users to not encounter the TOFU problem.

pnomolos commented 2 years ago

The above also applies when using the standard ssh login through the teleport proxy.

zmb3 commented 1 year ago

Closing this one as deprecated since the agentless setup is much different now than it was 4 years ago.