search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.06k stars 1.71k forks source link

tsh login reports stale status #33732

Closed ravicious closed 1 week ago

ravicious commented 9 months ago 
$ tsh login --proxy=teleport-local.dev:3090 --user=rav
Enter password for Teleport user rav:
> Profile URL:        https://teleport-local.dev:3090
  Logged in as:       rav
  Cluster:            teleport-local
  Roles:              access, connect-my-computer-rav, db, editor, parallels
  Logins:             rav, dummy, dummy2, root, parallels
  Kubernetes:         enabled
  Kubernetes users:   minikube
  Kubernetes groups:  admins, viewers
  Valid until:        2023-10-20 19:42:59 +0200 CEST [valid for 8h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

Did you know? Teleport Connect offers the power of tsh in a desktop app.
Learn more at https://goteleport.com/docs/connect-your-client/teleport-connect/

$ tsh login --proxy=teleport-local.dev:3090 --user=rav mbp.teleport-local-mbp-home
> Profile URL:        https://teleport-local.dev:3090
  Logged in as:       rav
  Cluster:            teleport-local
❗️                    ^ This is wrong, it should say mbp.teleport-local-mbp-home
❗️                      as does the third invocation below.
  Roles:              access, connect-my-computer-rav, db, editor, parallels
  Logins:             rav, dummy, dummy2, root, parallels
  Kubernetes:         enabled
  Kubernetes users:   minikube
  Kubernetes groups:  admins, viewers
  Valid until:        2023-10-20 19:42:59 +0200 CEST [valid for 8h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

$ tsh status
> Profile URL:        https://teleport-local.dev:3090
  Logged in as:       rav
  Cluster:            mbp.teleport-local-mbp-home
  Roles:              access, connect-my-computer-rav, db, editor, parallels
  Logins:             rav, dummy, dummy2, root, parallels
  Kubernetes:         enabled
  Kubernetes users:   minikube
  Kubernetes groups:  admins, viewers
  Valid until:        2023-10-20 19:42:59 +0200 CEST [valid for 8h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

Bug details:

dancmeyers commented 8 months ago

I don't think this is limited to the cluster argument. We use elevated access requests a lot, and have just upgraded to Teleport 14. I noticed that when I ran tsh login --request-id .... to log in to a session with elevated rights (which in our case has a much shorter session time than I am granted by default), the returned Valid until field was incorrect and still showed my longer session time. I initially thought this was a bug in deciding how long my session should be, but a manual run of tsh status showed the correct time.

It seems that the status output returned by tsh login is stale if you are already logged in to a session, and then refresh to a new/altered session via some tsh login command with additional parameters. If I ran tsh logout first then the output returned by tsh login --request-id ... --proxy ... showed the correct TTL.