search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.58k stars 1.76k forks source link

`ssh` can fail with agentless node created with `teleport join openssh` #48257

Open Joerger opened 1 week ago

Joerger commented 1 week ago

Connecting to an agentless node with ssh can fail due to to capitalization in hostnames not being respected. However, teleport join openssh automatically sets the hostname to $(hostname) even if it includes capitalized letters.

> tsh ls
Node Name           Address          Labels                                                               
------------------- ---------------- -------------------------------------------------------------------- 
Brians-MBP-2        local.openssh:22 env=dev                                                              

> ssh -v Brians-MBP-2.root.example.com
OpenSSH_9.8p1, LibreSSL 3.3.6
debug1: Reading configuration data /Users/bjoerger/.ssh/config
debug1: /Users/bjoerger/.ssh/config line 19: Applying options for *.root.example.com
debug1: /Users/bjoerger/.ssh/config line 26: Applying options for *.root.example.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: include /etc/ssh/ssh_config.d/* matched no files
debug1: /etc/ssh/ssh_config line 54: Applying options for *
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Executing proxy command: exec "/Users/bjoerger/src/gravitational/teleport/build/tsh" proxy ssh --cluster=root.example.com --proxy=root.example.com:3080 bjoerger@brians-mbp-2.root.example.com:3022
debug1: identity file /Users/bjoerger/.tsh/keys/root.example.com/dev type 0
debug1: certificate file /Users/bjoerger/.tsh/keys/root.example.com/dev-ssh/root.example.com-cert.pub type 4
debug1: Local version string SSH-2.0-OpenSSH_9.8
ERROR: failed connecting to host brians-mbp-2:3022: failed to receive cluster details response
    failed to dial target host
    direct dialing to nodes not found in inventory is not supported

kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

I have to manually tctl edit nodes/Brians-MBP-2 to change the name to lower case and fix it, or use another join method.

zmb3 commented 1 week ago

I suspect this might be the same issue as https://github.com/gravitational/teleport/issues/42315, which @bl-nero found during a prior test plan.

Joerger commented 1 week ago

I suspect this might be the same issue as #42315, which @bl-nero found during a prior test plan.

The issue seems to be that ssh makes the hostname lower case in the ProxyCommand, and Teleport then doesn't recognize it.

debug1: Executing proxy command: exec "/Users/bjoerger/src/gravitational/teleport/build/tsh" proxy ssh --cluster=root.example.com --proxy=root.example.com:3080 bjoerger@brians-mbp-2.root.example.com:22
...
ERROR: failed connecting to host brians-mbp-2:22: failed to receive cluster details response
    failed to dial target host
    direct dialing to nodes not found in inventory is not supported

Calling tsh proxy directly with the actual node name works:

> tsh proxy ssh --cluster=root.example.com --proxy=root.example.com:3080 bjoerger@Brians-MBP-2.root.example.com:22
SSH-2.0-Go

The other issue is related, as it limits what hostnames you can change to while still having a valid openssh cert.