Open pschisa opened 11 months ago
FWIW, client_idle_timeout
seems to work for db access as well. https://github.com/gravitational/teleport/issues/20557
This topic seems to come up a lot in Zendesk inquiries.
I've also seen this note repeated:
"When a user has multiple roles assigned that specify conflicting options the most secure or restrictive value will be used" Related feature req: https://github.com/gravitational/teleport/issues/42328
@ravicious @zmb3 This is what I've gathered for Paul's Qs above. Can you confirm/correct my understanding here? Thanks!
client_idle_timeout
applies to all protocols, not just SSH, and governs any active session regardless of how it's initiated (through the tsh client or via the web)client_idle_timeout
does impact web app sessions, but the web_idle_timeout
is specifically for sessions in the Teleport Web UI (not individual SSH or web app sessions)I think that's correct, it seems like MonitorConn
in lib/srv/monitor.go
is the single central place that controls that.
I'm just not sure if it's supported for all protocols. Have you tried changing this setting on an actual cluster and checking if it works with dbs and k8s, just to confirm this? I can see MonitorConn
being used in the code for SSH, databases and apps, but I don't see it being used for other protocols.
- The
client_idle_timeout
does impact web app sessions (…)
But how does it impact web app sessions exactly? I think it'd be good to include that in the docs as well.
Thanks Rafał! Good call, I shouldn't say all protocols. I will give it a spin with k8s to confirm.
The client_idle_timeout does impact web app sessions (…) But how does it impact web app sessions exactly?
The client_idle_timeout
seems to impact SSH sessions initiated from the web interface from my tests. I think that's about it for that part.
The
client_idle_timeout
seems to impact SSH sessions initiated from the web interface from my tests. I think that's about it for that part.
Cool, that's important to clarify. Without it, I'd have assumed that client_idle_timeout
has an impact on the length of a Web UI session itself.
Applies To
https://goteleport.com/docs/reference/config/ https://goteleport.com/docs/access-controls/reference/
Details
We currently have two different descriptions for
client_idle_timeout
role reference
config reference
This leads to confusion and does not answer some fundamental questions of the functionality
web_idle_timeout
?How will we know this is resolved?
Determine which protocols, which clients, and which scenarios
client_idle_timeout
is meant to be enforced and unify the descriptions to be the same with clearer intended behavior.