search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.42k stars 1.74k forks source link

Configuring sshd adds an Include directive in sshd config which isn't supported in Openssh 7.4 #31681

Open oshati opened 1 year ago

oshati commented 1 year ago

Expected behavior: Successfully configure sshd to register an OpenSSH node when teleport join openssh command is executed on Openssh 7.4

Current behavior: When configuring sshd to implement Teleport with OpenSSH in agentless mode, teleport join openssh errors out the below:

[root@ip-teleport-ent]# ./teleport join openssh   --address ec2.us-t-1.compute.amazonaws.com:22   --proxy-server teleport.example.com:443   --join-method token   --token f24d3dxxxxxx   --labels env=dev
INFO             Starting Teleport v13.3.8 common/teleport.go:563
INFO [PROC:1]    Generating new host UUID: 20f6f310-02ed-471d-8cd6-e7262a22c0ad. pid:6670.1 service/service.go:5631
INFO [PROC:1]    Joining the cluster with a secure token. pid:6670.1 service/connect.go:589
INFO [PROC:1]    Joining the cluster with a secure token. pid:6670.1 service/connect.go:589
INFO [PROC:1]    Instance has obtained credentials to connect to the cluster. pid:6670.1 service/connect.go:646
INFO [PROC:1]    Node has obtained credentials to connect to the cluster. pid:6670.1 service/connect.go:646
INFO [PROC:1]    The process successfully wrote the credentials and state of Instance to the disk. pid:6670.1 service/connect.go:687
INFO [PROC:1]    The process successfully wrote the credentials and state of Node to the disk. pid:6670.1 service/connect.go:687
INFO [PROC:1]    Instance: features loaded from auth server: Kubernetes:true App:true DB:true OIDC:true SAML:true AccessControls:true AdvancedAccessWorkflows:true HSM:true Desktop:true Assist:true DeviceTrust:<enabled:true > AccessRequests:<>  pid:6670.1 service/connect.go:96
INFO [INSTANCE:] Successfully registered instance client. pid:6670.1 service/service.go:2364
INFO [UPLOAD:1]  starting upload completer service pid:6670.1 service/service.go:2728
INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log. pid:6670.1 service/service.go:2744
INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload. pid:6670.1 service/service.go:2744
INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/streaming. pid:6670.1 service/service.go:2744
INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/streaming/default. pid:6670.1 service/service.go:2744
INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log. pid:6670.1 service/service.go:2744
INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload. pid:6670.1 service/service.go:2744
INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/corrupted. pid:6670.1 service/service.go:2744
INFO [UPLOAD:1]  Creating directory /var/lib/teleport/log/upload/corrupted/default. pid:6670.1 service/service.go:2744
INFO [PROC:1]    Node: features loaded from auth server: Kubernetes:true App:true DB:true OIDC:true SAML:true AccessControls:true AdvancedAccessWorkflows:true HSM:true Desktop:true Assist:true DeviceTrust:<enabled:true > AccessRequests:<>  pid:6670.1 service/connect.go:96
WARN [PROC:1]    Teleport process has exited with error. error:[
ERROR REPORT:
Original Error: trace.aggregate exit status 255, exec: already started
Stack Trace:
    github.com/gravitational/teleport/lib/openssh/sshd.go:191 github.com/gravitational/teleport/lib/openssh.(*sshdBackend).checkConfig
    github.com/gravitational/teleport/lib/openssh/sshd.go:199 github.com/gravitational/teleport/lib/openssh.(*sshdBackend).restart
    github.com/gravitational/teleport/lib/openssh/sshd.go:141 github.com/gravitational/teleport/lib/openssh.(*SSHD).UpdateConfig
    github.com/gravitational/teleport/lib/service/connect.go:732 github.com/gravitational/teleport/lib/service.(*TeleportProcess).syncOpenSSHRotationState
    github.com/gravitational/teleport/lib/service/supervisor.go:546 github.com/gravitational/teleport/lib/service.(*LocalService).Serve
    github.com/gravitational/teleport/lib/service/supervisor.go:281 github.com/gravitational/teleport/lib/service.(*LocalSupervisor).serve.func1
    runtime/asm_amd64.s:1598 runtime.goexit
User Message: invalid sshd config file, failed to get `sshd -t -f &#34;/etc/ssh/sshd_config&#34;` output
    exit status 255, exec: already started] pid:6670.1 service:openssh.rotate service/supervisor.go:286
ERRO [PROC:1]    "Critical service openssh.rotate has exited with error invalid sshd config file, failed to get `sshd -t -f \"/etc/ssh/sshd_config\"` output\n\texit status 255, exec: already started, aborting." pid:6670.1 service/signals.go:143
ERROR: invalid sshd config file, failed to get `sshd -t -f "/etc/ssh/sshd_config"` output
exit status 255, exec: already started

Testing the validity of the sshd config shows the below

[root@ip teleport]# sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config: line 1: Bad configuration option: Include
/etc/ssh/sshd_config: terminating, 1 bad configuration options

It was observed to have added an Include directive line below in the sshd config which isn't a valid value in OpenSSH 7.4 Include /var/lib/teleport/sshd.conf

Bug details:

schmidtjohannes commented 11 months ago

same here with v14.1.1

jamie-pate commented 10 months ago

https://www.openssh.com/txt/release-8.2 <- include directive added here