search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.36k stars 1.74k forks source link

unexpected maxlogins behavior #6096

Open programmerq opened 3 years ago

programmerq commented 3 years ago

Description

What happened:

When setting hard maxlogins 3 in /etc/security/limits.d/99-custom.conf, teleport treats it as maxlogins 2 and rejects the third connection:

Too many logins for 'username'.
Failed to launch: Permission denied.
the connection was closed on the remote side on  22 Mar 21 19:24 GMT

This behavior is a departure from the behavior of openssh and introduces an extra complication in an environment that runs both teleport and openssh-server alongside eachother.

What you expected to happen:

A Teleport user should be able to log in with 3 sessions with hard maxlogins 3.

Reproduction Steps

Set up the security limits.d and attempt to connect the maximum number of times

Server Details

Client Details

Debug Logs

Please include or attach debug logs, when appropriate. Obfuscate sensitive information!

kazimierzbudzyk commented 3 years ago

STARTUP LOG

Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SQLITE]    Connected to: file:/var/lib/teleport/proc/sqlite.db?_busy_timeout=10000&_sync=OFF, poll stream period: 1s lite/lite.go:172
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SQLITE]    Synchronous: 0, busy timeout: 10000 lite/lite.go:217
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [KEYGEN]    SSH cert authority started with no keys pre-compute. native/native.go:103
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Adding service to supervisor. service:register.node service/supervisor.go:184
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Adding service to supervisor. service:ssh.node service/supervisor.go:184
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Adding service to supervisor. service:ssh.shutdown service/supervisor.go:184
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Adding service to supervisor. service:common.rotate service/supervisor.go:184
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Service has started. service:register.node service/supervisor.go:245
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Connected state: never updated. service/connect.go:99
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [PROC:1]    Connecting to the cluster $CLUSTER  with TLS client certificate. service/connect.go:128
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Attempting to connect to Auth Server directly. service/connect.go:795
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Service has started. service:ssh.node service/supervisor.go:245
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Service has started. service:ssh.shutdown service/supervisor.go:245
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    No signal pipe to import, must be first Teleport process. service/service.go:772
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Service has started. service:common.rotate service/supervisor.go:245
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Connected to Auth Server with direct connection. service/connect.go:813
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Connected client: Identity(Node, cert($REDACTED.$CLUSTER  issued by $CLUSTER :$REDACTED),trust root($CLUSTER :$REDACTED
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Connected server: Identity(Node, cert($REDACTED.$CLUSTER  issued by $CLUSTER :$REDACTED),trust root($CLUSTER :$REDACTED
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Adding service to supervisor. service:auth.client.node service/supervisor.go:184
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Service has started. service:auth.client.node service/supervisor.go:245
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Broadcasting event. event:SSHIdentity service/supervisor.go:333
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Service is completed and removed. service:register.node service/supervisor.go:222
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE:1]    Received event "SSHIdentity". service/service.go:1610
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Creating sqlite backend for [node]. service/service.go:1459
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SQLITE]    Connected to: file:/var/lib/teleport/cache/node/sqlite.db?_busy_timeout=10000&_sync=OFF, poll stream period: 100ms lite/lite.go:172
Mar 22 20:51:56 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SQLITE]    Synchronous: 0, busy timeout: 10000 lite/lite.go:217
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [NODE:1:CA] Cache "node" first init succeeded. cache/cache.go:616
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [BPF]       Enhanced session recording is not enabled, skipping. bpf/bpf.go:87
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SSH:NODE]  Supported ciphers: ["aes128-ctr" "aes192-ctr" "aes256-ctr" "aes128-gcm@openssh.com"]. sshutils/server.go:217
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SSH:NODE]  Supported KEX algorithms: ["ecdh-sha2-nistp256" "ecdh-sha2-nistp384" "echd-sha2-nistp521"]. sshutils/server.go:227
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SSH:NODE]  Supported MAC algorithms: ["hmac-sha2-256-etm@openssh.com" "hmac-sha2-256"]. sshutils/server.go:237
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE:BEAT] Starting Node heartbeat with announce period: 1m0s, keep-alive period 5m39.76157606s, poll period: 5s srv/heartbeat.go:143
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT:1]   Creating directory /var/lib/teleport/log. service/service.go:1885
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload. service/service.go:1885
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/sessions. service/service.go:1885
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/sessions/default. service/service.go:1885
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT:1]   Creating directory /var/lib/teleport/log. service/service.go:1885
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload. service/service.go:1885
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/streaming. service/service.go:1885
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT:1]   Creating directory /var/lib/teleport/log/upload/streaming/default. service/service.go:1885
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Adding service to supervisor. service:uploader.service service/supervisor.go:184
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Adding service to supervisor. service:uploader.shutdown service/supervisor.go:184
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Adding service to supervisor. service:fileuploader.service service/supervisor.go:184
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Adding service to supervisor. service:fileuploader.shutdown service/supervisor.go:184
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [PROC:1]    Service node is creating new listener on 0.0.0.0:3022. service/signals.go:213
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Service has started. service:uploader.service service/supervisor.go:245
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Service has started. service:uploader.shutdown service/supervisor.go:245
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Service has started. service:fileuploader.service service/supervisor.go:245
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Service has started. service:fileuploader.shutdown service/supervisor.go:245
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [NODE:1]    Service 6.0.0: is starting on 0.0.0.0:3022 sqlite cache that will expire after connection to database is lost after 20h0m0s, will cache frequently accessed items for 2s. service/service.go:1756
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [NODE:1]    Service 6.0.0: is starting on 0.0.0.0:3022. utils/cli.go:226
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SSH:NODE]  Listening on [::]:3022. sshutils/server.go:370
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Broadcasting event. event:NodeReady service/supervisor.go:333
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [PROC:1]    Broadcasting mapped event. in:NodeReady out:EventMapping(in=[NodeReady], out=TeleportReady) service/supervisor.go:358
Mar 22 20:51:57 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [PROC:1]    The new service has started successfully. Starting syncing rotation status with period 10m0s. service/connect.go:431

PAM_LIMITS CONNECTION REJECTED

Mar 22 20:54:52 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      conn($SOURCE:24332->$DESTINATION:3022, user=$USER) auth attempt fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:$REDACTED local:$DESTINATION:3022 remote:$SOURCE:24332 user:$USER srv/authhandlers.go:163
Mar 22 20:54:52 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      conn($SOURCE:24332->$DESTINATION:3022, user=$USER) auth attempt with key ssh-rsa-cert-v01@openssh.com SHA256:$REDACTED, &ssh.Certificate{Nonce:[]uint8{$REDACTED}, Key:(*ssh.rsaPublicKey)(0xc00050b6a0), Serial:0x0, CertType:0x1, KeyId:"$USER@$DOMAIN", ValidPrincipals:[]string{"$USER"}, ValidAfter:0x60590219, ValidBefore:0x60591065, Permissions:ssh.Permissions{$REDACTED}, Reserved:[]uint8{}, SignatureKey:(*ssh.rsaPublicKey)(0xc00050b7e0), Signature:(*ssh.Signature)(0xc00007da80)} fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:$REDACTED local:$DESTINATION:3022 remote:$SOURCE:24332 user:$USER srv/authhandlers.go:166
Mar 22 20:54:52 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      Successfully authenticated fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:$REDACTED local:$DESTINATION:3022 remote:$SOURCE:24332 user:$USER srv/authhandlers.go:224
Mar 22 20:54:52 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      Checking permissions for ($USER@$DOMAIN,$USER) to login to node with RBAC checks. srv/authhandlers.go:338
Mar 22 20:54:52 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SSH:NODE]  Incoming connection $SOURCE:24332 -> $DESTINATION:3022 vesion: SSH-2.0-Go. sshutils/server.go:443
Mar 22 20:54:53 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SSH:NODE]  Received out-of-band request: &{Type:x-teleport-version WantReply:true Payload:[] ch:<nil> mux:0xc00019f180}. sshutils/server.go:498
Mar 22 20:54:53 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [KEEPALIVE] Starting keep-alive loop with with interval 1m0s and max count 3. srv/keepalive.go:65
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      Handling request env, want reply true. id:2 idle:1h0m0s local:$DESTINATION:3022 login:$USER remote:$SOURCE:24332 teleportUser:$USER@$DOMAIN regular/sshserver.go:1269
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      Handling request env, want reply true. id:2 idle:1h0m0s local:$DESTINATION:3022 login:$USER remote:$SOURCE:24332 teleportUser:$USER@$DOMAIN regular/sshserver.go:1269
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU             Will create new session for SSH connection $SOURCE:24332. srv/ctx.go:433
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      Handling request pty-req, want reply true. id:2 idle:1h0m0s local:$DESTINATION:3022 login:$USER remote:$SOURCE:24332 teleportUser:$USER@$DOMAIN regular/sshserver.go:1269
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      Requested terminal "xterm-256color" of size {315 64} id:2 idle:1h0m0s local:$DESTINATION:3022 login:$USER remote:$SOURCE:24332 teleportUser:$USER@$DOMAIN srv/termhandlers.go:73
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU             Set permissions on /dev/pts/5 to 850801661:5 with mode -rw-------. srv/term.go:407
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SESSION:N] Unable to update window size, no session found in context. srv/sess.go:389
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU             Will create new session for SSH connection $SOURCE:24332. srv/ctx.go:433
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      Handling request shell, want reply true. id:2 idle:1h0m0s local:$DESTINATION:3022 login:$USER remote:$SOURCE:24332 teleportUser:$USER@$DOMAIN regular/sshserver.go:1269
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [NODE]      Creating (interactive) session $SESSION_ID. id:2 idle:1h0m0s local:$DESTINATION:3022 login:$USER remote:$SOURCE:24332 teleportUser:$USER@$DOMAIN srv/sess.go:211
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SESSION:N] Using async streamer for session $SESSION_ID. srv/sess.go:1043
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [SESSION:N] New party ServerContext($SOURCE:24332->$DESTINATION:3022, user=$USER, id=2) party(id=$PARTY_ID) joined session: $SESSION_ID srv/sess.go:1219
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SESSION:N] Starting poll and sync of terminal size to all parties. srv/sess.go:1161
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT]     session.start addr.local:$DESTINATION:3022 addr.remote:$SOURCE:24332 cluster_name:$CLUSTER code:T2000I ei:0 event:session.start login:$USER namespace:default server_addr:$DESTINATION:3022 server_hostname:$HOSTNAME  server_id:$SERVER_ID server_labels:map[cluster:$CLUSTER $REDACTED] sid:$SESSION_ID size:315:64 time:2021-03-22T20:54:54.584Z uid:b15bf2da-5ddf-4876-8141-3c7a75f72f64 user:$USER@$DOMAIN events/emitter.go:317
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU             Will join session $SESSION_ID for SSH connection $SOURCE:24332. srv/ctx.go:435
Mar 22 20:54:54 $HOSTNAME teleport[3202]: pam_limits(teleport:session): Stale utmp entry (pid 21436) for '$USER' ignored
Mar 22 20:54:54 $HOSTNAME teleport[3202]: pam_limits(teleport:session): Stale utmp entry (pid 1685) for '$USER' ignored
Mar 22 20:54:54 $HOSTNAME teleport[3202]: pam_limits(teleport:session): Stale utmp entry (pid 30906) for '$USER' ignored
Mar 22 20:54:54 $HOSTNAME teleport[3202]: pam_limits(teleport:session): Too many logins (max 3) for $USER
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SESSION:N] Copying from PTY to writer completed with error read /dev/ptmx: input/output error. srv/sess.go:788
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      Exec request ("/usr/local/bin/teleport") complete: 255 id:2 idle:1h0m0s local:$DESTINATION:3022 login:$USER remote:$SOURCE:24332 teleportUser:$USER@$DOMAIN regular/sshserver.go:1249
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [SESSION:N] Closing party $PARTY_ID srv/sess.go:1410
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [NODE]      Releasing associated resources - context has been closed. id:2 idle:1h0m0s local:$DESTINATION:3022 login:$USER remote:$SOURCE:24332 teleportUser:$USER@$DOMAIN srv/monitor.go:207
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SESSION:N] Sent session.join to $SOURCE:24332. srv/sess.go:290
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [NODE]      Removing party ServerContext($SOURCE:24332->$DESTINATION:3022, user=$USER, id=2) party(id=$PARTY_ID) from session $SESSION_ID id:2 idle:1h0m0s local:$DESTINATION:3022 login:$USER remote:$SOURCE:24332 teleportUser:$USER@$DOMAIN srv/sess.go:1083
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT]     session.data addr.local:$DESTINATION:3022 addr.remote:$SOURCE:24332 cluster_name: code:T2006I ei:2.147483646e+09 event:session.data login:$USER namespace:default rx:6710 server_id:$SERVER_ID sid:$SESSION_ID time:2021-03-22T20:54:54.825Z tx:6310 uid:$UID user:$USER@$DOMAIN events/emitter.go:317
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [SESSION:N] Session $SESSION_ID will be garbage collected. srv/sess.go:323
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SESSION:N] Session has encountered 2 slow writes out of 11. Check disk and network on this server. events/auditwriter.go:366
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [SESSION:N] Closing session $SESSION_ID. srv/sess.go:632
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU             Closing session writer: session-recorder. srv/sess.go:1327
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SESSION:N] Session has encountered 2 slow writes out of 11. Check disk and network on this server. events/auditwriter.go:366
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SESSION:N] Stopping poll and sync of terminal size to all parties. srv/sess.go:1182
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT]     session.leave cluster_name:$CLUSTER code:T2003I ei:9 event:session.leave namespace:default server_addr:$DESTINATION:3022 server_hostname:$HOSTNAME  server_id:$SERVER_ID server_labels:map[cluster:$CLUSTER $REDACTED] sid:$PARTY_ID time:2021-03-22T20:54:54.824Z uid:8ef0be58-a583-4c02-9838-aeb6b5acc7c3 user:$USER@$DOMAIN events/emitter.go:317
Mar 22 20:54:54 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [AUDIT]     session.end cluster_name:$CLUSTER code:T2004I ei:10 enhanced_recording:false event:session.end interactive:true namespace:default participants:[$USER@$DOMAIN] server_addr:$DESTINATION:3022 server_hostname:$HOSTNAME  server_id:$SERVER_ID server_labels:map[cluster:$CLUSTER $REDACTED] session_start:2021-03-22T20:54:54.53463294Z session_stop:2021-03-22T20:54:54.825534403Z sid:$SESSION_ID time:2021-03-22T20:54:54.826Z uid:8485d728-071b-4fe4-bd52-14a5430193c5 user:$USER@$DOMAIN events/emitter.go:317
Mar 22 20:54:55 $HOSTNAME /usr/local/bin/teleport[1434]: INFO [SESSION:N] Party member $PARTY_ID left session $SESSION_ID. srv/sess.go:1228
Mar 22 20:54:55 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [TERM:LOCA] Closed PTY srv/term.go:300
Mar 22 20:54:55 $HOSTNAME /usr/local/bin/teleport[1434]: DEBU [SSH:NODE]  Closed connection $SOURCE:24332. sshutils/server.go:448

TSH DEBUG LOG

➜  ~ tsh ssh -d $HOSTNAME
INFO [CLIENT]    no host login given. defaulting to $USER client/api.go:811
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.4gaRISyGm3/Listeners" client/api.go:2201
DEBU [KEYSTORE]  Returning SSH certificate "/Users/$USER/.tsh/keys/$REDACTED/$USER@$DOMAIN-cert.pub" valid until "2021-03-22 21:47:17 +0000 GMT", TLS certificate "/Users/$USER/.tsh/keys/$REDACTED/$USER@$DOMAIN-x509.pem" valid until "2021-03-22 21:47:17 +0000 UTC". client/keystore.go:277
INFO [KEYAGENT]  Loading key for "$USER@$DOMAIN" client/keyagent.go:113
INFO [CLIENT]    Connecting proxy=$PROXY_NLB:3023 login='$USER' method=0 client/api.go:1633
DEBU [KEYAGENT]  Validated host $PROXY_NLB:3023. client/keyagent.go:285
INFO [CLIENT]    Successful auth with proxy $PROXY_NLB:3023 client/api.go:1614
DEBU [CLIENT]    Found clusters: [{"name":"$CLUSTER","lastconnected":"2021-03-22T21:16:04.584703599Z","status":"online"}] client/client.go:107
INFO [CLIENT]    Client= connecting to node=$HOSTNAME on cluster $CLUSTER client/client.go:539
DEBU [KEYAGENT]  Validated host $HOSTNAME:0@default@$CLUSTER. client/keyagent.go:285
$MOTD
Too many logins for '$USER'.
Failed to launch: Permission denied.
the connection was closed on the remote side on  22 Mar 21 21:15 GMT