Open zmb3 opened 3 months ago
This also affects Teleport Connect, and the workarounds of setting TELEPORT_USER
and TELEPORT_LOGIN
are much harder when using a graphical process. It'd be really nice if these fixes also worked for Teleport Connect!
On AD-joined Windows hosts,
tsh
can time out due to the fact that when unspecified,--user
and--login
default to the currently logged in OS-user. This is is reasonable behavior and works well on most systems, but on domain-joined machines it ends up being an expensive network call rather than a local operation.Original issue at #25014.
We did some work to improve this (see #24156, #25950, #29546, and #35179), but unfortunately we still see support load and customer confusion.
There are a couple problems remaining:
--user
and--login
(or their environment variable equivalents), but the irony is the value of--user
is never consulted when using SSO, and most customers are using SSO. In fact,tsh
will even print a warning that says that--user
is not necessary for SSO logins. This is confusing.--login
to be provided to every command, even if it is not needed. For example,tsh login
doesn't really need to know the OS user, that's not required until youtsh ssh
.Let's clean this up. Potential solution: instead of attempting to specify the user/login early, defer it until absolutely necessary. This should make it so that a
tsh login
with SSO doesn't hang, even on AD.