tsh proxy ssh truncates hostname

[a-b-v]

I have a teleport on domain.com with ssh server resource names like node1.dev.project.domain.com. I can connect using tsh ssh:

$ tsh ssh node1.dev.project.domain.com

but when I try to open a connection with ssh using Proxycommand, I am not able to connect due to a teleport error:

$ tsh proxy ssh node1.dev.project.domain.com:3022
ERROR: failed connecting to host node1.dev.project:3022: failed to receive cluster details response
    failed to dial target host
    direct dialing to nodes not found in inventory is not supported

Expected behavior: Connection successfully established

Current behavior: tsh proxy ssh throws an error

Bug details:

• Teleport version Teleport v16.0.0 git:v16.0.0-0-gbb8b73a2 go1.22.4 Proxy version: 16.0.0
• Recreation steps
  1. add ssh resource with name, containing subdomains
  2. try to connect with ssh Proxycommand
• Debug logs

  
  2024-07-01T10:54:43+03:00 INFO [CLIENT]    ALPN connection upgrade required for "domain.com:443": false. client/api.go:787
  2024-07-01T10:54:43+03:00 INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/run/user/1234/keyring/ssh" client/api.go:4842
  2024-07-01T10:54:43+03:00 DEBU [KEYSTORE]  Reading certificates from path "/home/user/.tsh/keys/domain.com/a.user-ssh/domain.com-cert.pub". client/keystore.go:357
  2024-07-01T10:54:43+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-01 18:51:05 +0000 UTC". client/client_store.go:111
  2024-07-01T10:54:43+03:00 INFO [KEYAGENT]  Loading SSH key for user "a.user" and cluster "domain.com". client/keyagent.go:198
  2024-07-01T10:54:43+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-01 18:51:05 +0000 UTC". client/client_store.go:111
  2024-07-01T10:54:43+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-01 18:51:05 +0000 UTC". client/client_store.go:111
  2024-07-01T10:54:43+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-01 18:51:05 +0000 UTC". client/client_store.go:111
  2024-07-01T10:54:43+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-01 18:51:05 +0000 UTC". client/client_store.go:111
  2024-07-01T10:54:43+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-01 18:51:05 +0000 UTC". client/client_store.go:111

ERROR REPORT: Original Error: trace.ConnectionProblemError failed connecting to host node1.dev.project:3022: failed to receive cluster details response failed to dial target host direct dialing to nodes not found in inventory is not supported Stack Trace: github.com/gravitational/teleport/api@v0.0.0/client/proxy/client.go:413 github.com/gravitational/teleport/api/client/proxy.(Client).DialHost github.com/gravitational/teleport/lib/client/cluster_client.go:110 github.com/gravitational/teleport/lib/client.(*ClusterClient).DialHostWithResumption github.com/gravitational/teleport/tool/tsh/common/proxy.go:98 github.com/gravitational/teleport/tool/tsh/common.onProxyCommandSSH.func1 github.com/gravitational/teleport/lib/client/api.go:593 github.com/gravitational/teleport/lib/client.RetryWithRelogin github.com/gravitational/teleport/tool/tsh/common/proxy.go:60 github.com/gravitational/teleport/tool/tsh/common.onProxyCommandSSH github.com/gravitational/teleport/tool/tsh/common/tsh.go:1459 github.com/gravitational/teleport/tool/tsh/common.Run github.com/gravitational/teleport/tool/tsh/common/tsh.go:599 github.com/gravitational/teleport/tool/tsh/common.Main github.com/gravitational/teleport/tool/tsh/main.go:26 main.main runtime/proc.go:271 runtime.main runtime/asm_amd64.s:1695 runtime.goexit User Message: failed connecting to host node1.dev.project:3022: failed to receive cluster details response failed to dial target host direct dialing to nodes not found in inventory is not supported

[rosstimothy]

tsh proxy ssh expects the target to be in the form of <node-name>.<cluster>, so in your case you would want to use tsh proxy ssh node1.dev.project.domain.com.domain.com:3022.

tsh proxy ssh was mainly intended to be used as a ProxyCommand for ssh. For example, the ssh config generated by tsh config looks like the following. To connect to node1 via tsh proxy ssh I would then use ssh node1.local.dev and it would invoke tsh proxy ssh --cluster=local.dev --proxy=proxy.example.com:443 alice@node1.local.dev:3022.

$ tsh config > ssh.config
$ echo $ssh.config
# Begin generated Teleport configuration for proxy.example.com by tsh

# Common flags for all local.dev hosts
Host *.local.dev proxy.example.com
    UserKnownHostsFile "/home/alice/.tsh/known_hosts"
    IdentityFile "/home/alice/.tsh/keys/proxy.example.com/alice"
    CertificateFile "/home/alice/.tsh/keys/proxy.example.com/alice-ssh/local.dev-cert.pub"
    HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com

# Flags for all local.dev hosts except the proxy
Host *.local.dev !proxy.example.com
    Port 3022
    ProxyCommand "/home/alice/tsh" proxy ssh --cluster=local.dev --proxy=proxy.example.com:443 %r@%h:%p

# End generated Teleport configuration

$ ssh -F ssh.config node1.local.dev:3022
$ teleport status
$ User ID     : alice, logged in as alice from 127.0.0.1 63138 443
Cluster Name: local.dev
Host UUID   : 1234-64c3-4e26-bab0-5fceca5ca124
Session ID  : 67987-6521-47c5-b2f3-d6a11418283f
Session URL : https://proxy.example.com:443/web/cluster/local.dev/console/session/67987-6521-47c5-b2f3-d6a11418283f