search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.67k stars 1.77k forks source link

Teleport does not support non-interactive interactive SSH sessions. #47974

Open russjones opened 4 weeks ago

russjones commented 4 weeks ago

Teleport does not support non-interactive interactive SSH sessions. A non-interactive interactive session is a "shell" session where a PTY is not allocated. Teleport correctly supports interactive and non-interactive "exec" sessions.

Follow the below steps to create a non-interactive interactive session with OpenSSH.

First generate host keys, user keys, and authorized_keys file.

ssh-keygen -q -N "" -t ed25519 -f $DIR/ssh_host_ecdsa_key
ssh-keygen -q -N "" -t ed25519 -f $DIR/ssh_user_ecdsa_key
cp $DIR/ssh_user_ecdsa_key.pub $DIR/authorized_keys

Start a SSH server in the foreground on port 2022:

$ /usr/sbin/sshd -D \
  -o ListenAddress=127.0.0.1 \
  -o Port=2022 \
  -o HostKey=$DIR/ssh_host_ecdsa_key \
  -o AuthorizedKeysFile=$DIR/authorized_keys \
  -o PubkeyAuthentication=yes \
  -o PermitUserEnvironment=yes \
  -o StrictModes=no

Then request an interactive session ("shell") but do not request a PTY with the -T flag. A PTY will not be allocated but an interactive session will be created.

$ ssh -T 127.0.0.1 \
  -o Port=2022 \
  -o IdentityFile=$DIR/ssh_user_ecdsa_key \
  -o UserKnownHostsFile=/dev/null \
  -o StrictHostKeyChecking=no

Warning: Permanently added '[127.0.0.1]:2022' (ED25519) to the list of known hosts.
tty
not a tty
exit

However, with Teleport a PTY is allocated for interactive ("shell") sessions even if the user specifically requests one is not allocated.

$ tsh ssh -T server01
~ $ tty
/dev/ttys007
~ $ exit
the connection was closed on the remote side at  25 Oct 24 16:48 PDT
russjones commented 3 weeks ago

Discovered while working on https://github.com/gravitational/teleport/pull/46879.