search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.37k stars 1.74k forks source link

-L persistent ssh tunnels doesn't work #4295

Open antigenius0910 opened 4 years ago

antigenius0910 commented 4 years ago

Description

What happened: persistent ssh tunnels doesn't work

[ychuang@underpass ~]$ ssh -fNL 8837:localhost:8837 ychuang@shellngpar
Authorized uses only. All activity may be monitored and reported.
Password: 
Enter Your Security Code:XXXXX

[ychuang@underpass ~]$ curl -k https://localhost:8837
<!doctype html>
<html lang="en">
    <head>
        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
        <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; frame-src https://store.tenable.com; default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'" />
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <meta charset="utf-8" />
        <title>Nessus</title>
        <link rel="stylesheet" href="nessus6.css?v=1593444865865" />
        <!--[if lt IE 11]>
            <script>
                window.location = '/unsupported6.html';
            </script>
        <![endif]-->
        <script src="nessus6.js?v=1593444865865"></script>
    </head>
    <body>
    </body>
</html>

Port 8837 does got forwarded but can not curl. error with "SSL_ERROR_SYSCALL"

yen@yens-MacBook-Pro:$ tsh ssh -L 8837:underpass:8837 --proxy=pylonpar ychuang@underpass

yen@yens-MacBook-Pro:$ lsof -PiTCP -sTCP:LISTEN
COMMAND    PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
tsh      91607  yen    9u  IPv4 0x72a6260464d739ef      0t0  TCP localhost:8837 
(LISTEN)

yen@yens-MacBook-Pro:~$ curl -k https://localhost:8837
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8837 
yen@yens-MacBook-Pro:~$ tsh status
> Profile URL:  https://172.x.x.x:3080
  Logged in as: yen@XXX.com
  Cluster:      pylonpar
  Roles:        aduser*
  Logins:       ychuang
  Valid until:  2020-09-04 11:53:58 -0500 CDT [valid for 7h24m0s]
  Extensions:   permit-agent-forwarding, permit-port-forwarding, permit-pty
  Profile URL:  https://172.x.x.x:3080
  Logged in as: yen@XXX.com
  Cluster:      pylonpar
  Roles:        aduser*
  Logins:       ychuang
  Valid until:  2020-08-15 06:47:17 -0500 CDT [EXPIRED]
  Extensions:   permit-agent-forwarding, permit-port-forwarding, permit-pty
* RBAC is only available in Teleport Enterprise
  https://gravitational.com/teleport/docs/enterprise

What you expected to happen: I can curl on my localhost after port forwarding

yen@yens-MacBook-Pro:~$ curl -k https://localhost:8837

<!doctype html>
<html lang="en">
    <head>
        <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
        <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; frame-src https://store.tenable.com; default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; object-src 'none'" />
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <meta charset="utf-8" />
        <title>Nessus</title>
        <link rel="stylesheet" href="nessus6.css?v=1593444865865" />
        <!--[if lt IE 11]>
            <script>
                window.location = '/unsupported6.html';
            </script>
        <![endif]-->
        <script src="nessus6.js?v=1593444865865"></script>
    </head>
    <body>
    </body>
</html>

How to reproduce it (as minimally and precisely as possible):

yen@yens-MacBook-Pro:$ tsh ssh -L 8837:underpass:8837 --proxy=pylonpar ychuang@underpass
yen@yens-MacBook-Pro:~$ curl -k https://localhost:8837

Environment

[ychuang@underpass ~]$ tsh version Teleport v4.2.11 git:v4.2.11-0-g244ec16b7 go1.13.2b4

[ychuang@underpassp~]$ cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"


- Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware):
Dedicated Hardware

**Browser environment**

- Browser Version (for UI-related issues):
- Install tools:
- Others:

**Relevant Debug Logs If Applicable**

- `tsh --debug`

yen@yens-MacBook-Pro:~$ tsh -d ssh -NL 8837:underpass:8837 --proxy=pylonpar ychuang@underpass & [1] 3550

yen@yens-MacBook-Pro:~$ INFO [CLIENT] [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.L1Y1dRj4nA/Listeners" client/api.go:2049 DEBU [KEYSTORE] Returning SSH certificate "/Users/yen/.tsh/keys/172.28.231.55/yen@-cert.pub" valid until "2020-09-05 04:34:35 -0500 CDT", TLS certificate "/Users/yen/.tsh/keys/172.x.x.x.x/yen@-x509.pem" valid until "2020-09-05 09:34:35 +0000 UTC". client/keystore.go:262 INFO [KEYAGENT] Loading key for "yen@" client/keyagent.go:108 INFO [CLIENT] Connecting proxy=172.x.x.x.x:3023 login='ychuang' method=0 client/api.go:1588 DEBU [KEYAGENT] Validated host 172.x.x.x:3023. client/keyagent.go:280 INFO [CLIENT] Successful auth with proxy 172.x.x.x:3023 client/api.go:1579 DEBU [CLIENT] Found clusters: [{"name":"pylonpar","lastconnected":"2020-09-04T20:44:44.306806369-05:00","status":"online"}] client/client.go:106 INFO [CLIENT] Client= connecting to node=underpass on cluster pylonpar client/client.go:551 DEBU [KEYAGENT] Validated host underpass:0@default@pylonpar. client/keyagent.go:280 DEBU [CLIENT] Connected to node, no remote command execution was requested, blocking until context closes. client/api.go:970

yen@yens-MacBook-Pro:~$ lsof -PiTCP -sTCP:LISTEN tsh 3550 yen 9u IPv4 0x72a626046399b027 0t0 TCP localhost:8837 (LISTEN)

yen@yens-MacBook-Pro:~$ curl -k https://localhost:8837 DEBU [CLIENT] Attempting to connect proxy from 127.0.0.1:56376 to underpass:8837. client/client.go:861 WARN [CLIENT] Failed to proxy connection: read tcp 127.0.0.1:8837->127.0.0.1:56376: use of closed network connection. client/client.go:922 DEBU [CLIENT] Finished proxy from 127.0.0.1:56376 to underpass:8837. client/client.go:922 WARN [CLIENT] Failed to proxy connection: read tcp 127.0.0.1:8837->127.0.0.1:56376: use of closed network connection. client/client.go:943 curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:8837 


- `teleport --debug`
jorpilo commented 1 year ago

Having the same issue. Any idea to solve it?