Open milos-teleport opened 1 week ago
I'm currently working on adding support for hardware keys to Teleport Connect, and part of this task is refactoring yubikey.go
to allow it handling concurrent requests (coming from Connect).
An excerpt from my last status update, where I described the solution:
I'm refactoring the stateless code in
yubikey.go
so that there is now a “global" stateful YubiKey manager in tshd that coordinates access to the physical key. This better fits to the Connect model, where we often issue requests concurrently (as opposed to tsh, where things tend to happen sequentially). Thanks to that, if the user has to take the action (like touching the key), all other requests will wait for it to complete.
tsh will benefit from this change too - all calls to YubiKey within a single command (like tsh ls
) will access it sequentially. This should fix the issue🤞.
by the way, i no longer think tsh
is affected by the connection method race at the line i linked in that quote. It's probably the gRPC library or maybe something to do with how we tunnel TSL over TLS when dialing through a TLS-terminating load-balancer
Expected behavior: As a user who uses YubiKey solely for Teleport, and does not use multiple
tsh
commands at the same time,tsh
should not give me errors relating to Yubikey being used by another application.Current behavior: When using
tsh ls
ortsh ssh
I sometimes get this error:Bug details:
tsh ls
multiple times until the bug is triggeredWorkaround: Retry failed command
Quote from @nklaassen: