search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.29k stars 1.74k forks source link

`ssh` host verification to leaf clusters fails when using `tsh config` when session recording mode set to `proxy` #42256

Open timothyb89 opened 3 months ago

timothyb89 commented 3 months ago

Expected behavior:

Host key verification should work when using all supported proxy recording modes.

Current behavior:

Connecting with auth_service.session_recording set to proxy:

$ ssh -F ~/.ssh/tsh_config tim@teleport-leaf.teleport-leaf.ethernet.fyi
The authenticity of host '[teleport-leaf.teleport-leaf.ethernet.fyi]:3022 (<no hostip for proxy command>)' can't be established.
RSA key fingerprint is SHA256:fe92uTOm5gKc23QYiWXeAuaZH/NR/xzq7PPA/2REHr0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? ^CERROR: context canceled

After disabling proxy recording mode, it works properly:

$ ssh -F ~/.ssh/tsh_config tim@teleport-leaf.teleport-leaf.ethernet.fyi
tim@teleport-leaf:~$

Connections within the same cluster work as expected.

Bug details:

timothyb89 commented 3 months ago

Possibly related to this other issue: https://github.com/gravitational/teleport/issues/42252