search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.61k stars 1.76k forks source link

Joining sessions blocked with create host mode set to keep #46252

Closed stevenGravy closed 2 months ago

stevenGravy commented 2 months ago

Expected behavior:

Joining sessions is supported with create_host_user_mode: keep set in the role.

Current behavior:

If create_host_user_mode is set to keep the user cannot join the session.

image 
Sep 04 18:37:47 dev-1 teleport[1706]: 2024-09-04T18:37:47Z WARN [SSH:NODE]  "Dropping inbound ssh connection due to error: error while creating user\n\texit status 2" sshutils/server.go:580

Bug details:

  1. Create the role as below with two users assigned to it. 
kind: role
metadata:
  name: dev-access
  descripton: Provides the development level access to resources
spec:
  allow:
    join_sessions:
    - kinds:
      - k8s
      - ssh
      modes:
      - moderator
      - observer
      - peer
      name: Join sessions
      roles:
      - 'dev-access'

    logins:
    - '{{internal.logins}}'
    - '{{email.local(external.username)}}'
    - '{{email.local(external.email)}}'
    node_labels:
      env: dev

  deny: {}
  options:
    cert_format: standard
    create_db_user: true
    create_desktop_user: true
    create_host_user_mode: keep
    desktop_clipboard: true
    desktop_directory_sharing: true
    enhanced_recording:
    - command
    - network
    forward_agent: false
    idp:
      saml:
        enabled: true
    max_session_ttl: 30h0m0s
    pin_source_ip: false
    port_forwarding: true
    record_session:
      default: best_effort
      desktop: true
    ssh_file_copy: true
version: v7
  1. Add a node with the label env: dev.
  2. Connect with the first user via ssh to user getting created (jeff, alice,...)
  3. Attempt to join as a peer from the second user.
rosstimothy commented 2 months ago

Logs from the node indicate this likely stems from trying to create a local login of -teleport-internal-join

2024-09-05T08:16:35-04:00 DEBU [NODE]      conn(127.0.0.1:52630->127.0.0.1:443, user=-teleport-internal-join) auth attempt with key ssh-rsa-cert-v01@openssh.com SHA256:wEh/yyUaxh3ROCQ4/Z92Dojw+Kahwr9mnct9eieDAIg, &ssh.Certificate{Nonce:[]uint8{0x3, 0x45, 0x2a, 0xb4, 0x5a, 0xd4, 0xea, 0x9f, 0xde, 0x13, 0x44, 0x54, 0x77, 0x79, 0xea, 0xf9, 0x93, 0x2e, 0xcb, 0x7c, 0xa0, 0xa2, 0xa4, 0xfa, 0xe4, 0xf8, 0x8, 0xa6, 0xb2, 0x2b, 0x77, 0x2b}, Key:(*ssh.rsaPublicKey)(0x400122cbc0), Serial:0x0, CertType:0x1, KeyId:"test", ValidPrincipals:[]string{"john", "paul", "ringo", "george", "-teleport-internal-join"}, ValidAfter:0x66d9a0bf, ValidBefore:0x66da49bb, Permissions:ssh.Permissions{CriticalOptions:map[string]string{}, Extensions:map[string]string{"login-ip":"127.0.0.1", "permit-port-forwarding":"", "permit-pty":"", "private-key-policy":"none", "teleport-roles":"{\"version\":\"v1\",\"roles\":[\"auditor\",\"user-creation\",\"dev-access\"]}", "teleport-route-to-cluster":"local.dev", "teleport-traits":"null"}}, Reserved:[]uint8{}, SignatureKey:(*ssh.rsaPublicKey)(0x400122cc00), Signature:(*ssh.Signature)(0x4001abc6c0)} fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:wEh/yyUaxh3ROCQ4/Z92Dojw+Kahwr9mnct9eieDAIg local:127.0.0.1:443 remote:127.0.0.1:52630 user:-teleport-internal-join srv/authhandlers.go:317
2024-09-05T08:16:35-04:00 DEBU [NODE]      Successfully authenticated fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:wEh/yyUaxh3ROCQ4/Z92Dojw+Kahwr9mnct9eieDAIg local:127.0.0.1:443 remote:127.0.0.1:52630 user:-teleport-internal-join srv/authhandlers.go:436
2024-09-05T08:16:35-04:00 DEBU [NODE]      Checking permissions for (test,-teleport-internal-join) to login to node with RBAC checks. srv/authhandlers.go:621
2024-09-05T08:16:35-04:00 DEBU [SSH:NODE]  Incoming connection 127.0.0.1:52630 -> 127.0.0.1:443 version: SSH-2.0-Go, certtype: "user" sshutils/server.go:553
2024-09-05T08:16:35-04:00 DEBU             "/usr/sbin/groupadd output: groupadd: group 'teleport-system' already exists\n" host/hostusers.go:56
2024-09-05T08:16:35-04:00 DEBU             "/usr/sbin/groupadd output: groupadd: group 'teleport-keep' already exists\n" host/hostusers.go:56
2024-09-05T08:16:35-04:00 DEBU             "/usr/sbin/groupadd output: groupadd: group 'beatles' already exists\n" host/hostusers.go:56
2024-09-05T08:16:35-04:00 DEBU             "/usr/sbin/groupadd output: groupadd: group 'other' already exists\n" host/hostusers.go:56
2024-09-05T08:16:35-04:00 DEBU             "/usr/sbin/groupadd output: groupadd: group 'ubuntu' already exists\n" host/hostusers.go:56
2024-09-05T08:16:35-04:00 DEBU             "/usr/sbin/useradd output: /usr/sbin/useradd: invalid option -- 't'\nUsage: useradd [options] LOGIN\n       useradd -D\n       useradd -D [options]\n\nOptions:\n      --badname                 do not check for bad names\n  -b, --base-dir BASE_DIR       base directory for the home directory of the\n                                new account\n      --btrfs-subvolume-home    use BTRFS subvolume for home directory\n  -c, --comment COMMENT         GECOS field of the new account\n  -d, --home-dir HOME_DIR       home directory of the new account\n  -D, --defaults                print or change default useradd configuration\n  -e, --expiredate EXPIRE_DATE  expiration date of the new account\n  -f, --inactive INACTIVE       password inactivity period of the new account\n  -F, --add-subids-for-system   add entries to sub[ud]id even when adding a system user\n  -g, --gid GROUP               name or ID of the primary group of the new\n                                account\n  -G, --groups GROUPS           list of supplementary groups of the new\n                                account\n  -h, --help                    display this help message and exit\n  -k, --skel SKEL_DIR           use this alternative skeleton directory\n  -K, --key KEY=VALUE           override /etc/login.defs defaults\n  -l, --no-log-init             do not add the user to the lastlog and\n                                faillog databases\n  -m, --create-home             create the user's home directory\n  -M, --no-create-home          do not create the user's home directory\n  -N, --no-user-group           do not create a group with the same name as\n                                the user\n  -o, --non-unique              allow to create users with duplicate\n                                (non-unique) UID\n  -p, --password PASSWORD       encrypted password of the new account\n  -r, --system                  create a system account\n  -R, --root CHROOT_DIR         directory to chroot into\n  -P, --prefix PREFIX_DIR       prefix directory where are located the /etc/* files\n  -s, --shell SHELL             login shell of the new account\n  -u, --uid UID                 user ID of the new account\n  -U, --user-group              create a group with the same name as the user\n  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping\n      --extrausers              Use the extra users database\n\n" host/hostusers.go:98
2024-09-05T08:16:35-04:00 DEBU             "Error creating user -teleport-internal-join: error while creating user\n\texit status 2" srv/sess.go:298
2024-09-05T08:16:35-04:00 WARN [SSH:NODE]  "Dropping inbound ssh connection due to error: error while creating user\n\texit status 2" sshutils/server.go:580