strideynet
commented
4 months ago Just for additional context - in "remote mode", we also support credentials being provided with --identity-file when using Machine ID.
Open zmb3 opened 4 months ago
strideynet
commented
4 months ago Just for additional context - in "remote mode", we also support credentials being provided with --identity-file when using Machine ID.
webvictim
commented
3 months ago Also, tctl is missing a --proxy-server flag - --auth_server works, but is confusingly named.
Related: https://github.com/gravitational/teleport/issues/11524
There are several aspects of
tctlthat are confusing to newcomers.tctldoesn't offer any sort of login command. It operates in two different modes:tsh loginThe first item confuses people because you have log in with one tool in order to use another tool. This is unintuitive, and the software provides no visibility into what's happening.
The second item is confusing because it only works by default if there's a
/etc/teleport.yamland if that file has the auth service enabled. If your config is stored in a non-standard location, you need to setTELEPORT_CONFIG_FILEor pass the--configflag.This is compounded by the fact that most people aren't aware that local mode is a thing and they unintentionally trigger that behavior by simply pasting a
tctlcommand from our docs. The software doesn't tell you that it's making an assumption that the auth server is running locally, and it doesn't give you a clear actionable error - you typically see some sort of permissions issue because your user doesn't have permissions to read/var/lib.Some ideas for things we can do to improve the situation:
tctl logincommand. It could even be interactive - if we detect that the auth server is running locally we can offer local admin mode as an option, otherwise we can reuse the same prompts fromtsh login.tctl statusto show information about the current credentials (local admin mode, remote profile, or completely unauthenticated)