Modifies the SSH multiplexer protocol to support specifying a target cluster and modifies the generation of the known_hosts and ssh_config to include all accessible clusters.
The additional "|cluster" suffix added to the protocol is optional - if omitted the old behaviour of using the cluster that the bot has authenticated is used. This means that using a ssh_config generated by a previous version with a newer version of tbot will not result in an error.
However, the opposite is not true. Using a ssh_config generated by a newer tbot with an older tbot's tunnel will result in an error:
~/code/gravitational/teleport git:[master]
ssh -F ../teleport-scratch/tbot-ssh/ssh-proxy/ssh_config_old -p 13022 noah@macbook.root.tele.ottr.sh echo foo
failed connecting to host macbook:13022|root.tele.ottr.sh: failed to receive cluster details response
failed to dial target host
direct dialing to nodes not found in inventory is not supported
Connection closed by /Users/noah/code/gravitational/teleport-scratch/tbot-ssh/ssh-proxy/v1.sock port 0
We could roll to a v2.sock to make this error a little clearer since the socket wouldn't exist, but, they'd still get an error. Given that the ssh_config is generated by the tbot that hosts the tunnel, the only scenario where this could be encountered is if the user maintains a custom ssh_config and starts using cluster targetting with an older version of tbot. Additionally, the SSH multiplexer has only existed for 1 or 2 patch versions. This makes it feel to me like it's not worth rolling to v2.sock - but let me know your thoughts.
changelog: Added support for dialling leaf clusters to the tbot SSH multiplexer
Closes https://github.com/gravitational/teleport/issues/43477
Modifies the SSH multiplexer protocol to support specifying a target cluster and modifies the generation of the known_hosts and ssh_config to include all accessible clusters.
The additional "|cluster" suffix added to the protocol is optional - if omitted the old behaviour of using the cluster that the bot has authenticated is used. This means that using a ssh_config generated by a previous version with a newer version of tbot will not result in an error.
However, the opposite is not true. Using a ssh_config generated by a newer tbot with an older tbot's tunnel will result in an error:
We could roll to a
v2.sock
to make this error a little clearer since the socket wouldn't exist, but, they'd still get an error. Given that thessh_config
is generated by thetbot
that hosts the tunnel, the only scenario where this could be encountered is if the user maintains a custom ssh_config and starts using cluster targetting with an older version of tbot. Additionally, the SSH multiplexer has only existed for 1 or 2 patch versions. This makes it feel to me like it's not worth rolling tov2.sock
- but let me know your thoughts.changelog: Added support for dialling leaf clusters to the
tbot
SSH multiplexer