Identity flag for logging in

[kontsevoy]

Problem

Currently tsh ssh can only use credentials obtained earlier via tsh login. This is not convenient for robo-clients such as cron jobs, that aren't able to perform interactive logins via mechanisms like SAML.

Solution: TSH side

tsh ssh needs to support -i flag. It would work in a way compatible with OpenSSH but also support "extended" Teleport-specific syntax, here's how it would work:

Reminder: tsh always requires 2 bits of info to authenticate: a private key and a certificate.
Syntax:

$ tsh ssh -i identity login@host

Where identity can be one of:

• identity.pem containing the private SSH key only. This is OpenSSH-compatible mode. In this mode tsh should also look for identity-cert.pub file to use for logging into the Teleport proxy.
• identity.pem containing both the private key concatenated with the cert (in any order). Optionally, identity.pem may include the cluster CA as well (see [1] below). If all parts are found inside a single .pem, tsh should happily proceed to establish a connection.

[1] it is possible to supply the cluster public key (for host auth) by appending it to identity.pem, like this: tctl auth sign --type=host >> identity.pem. If the identity file contains cluster CA, users will not be asked to trust the proxy.

Solution: TCTL side

tctl should be able to produce both formats of "identity". Currently we have a command called tctl auth sign. This command must be able to produce the identity in both formats.

Syntax:

$ tctl auth sign --user=zeka --out=identity.pem

This syntax should produce identity.pem which would contain both key+cert concatenated together.

$ tctl auth sign --user=zeka

This syntax should produce the same output as before, but printed into stdout (instead of the current behavior)

$ tctl auth sign --user=zeka --out=identity -format=dir

When -format=dir flag is used with auth sign, it should implement the current (2.1) behavior, i.e. produce 3 files under newly created identity directory:

identity/zeka.pub <-- public key
identity/zeka <-- private key
identity/zeka-cert.pub <-- certificate

[nikatjef]

Might I suggest using the '-l' (lower case L) argument instead and use the '-i' to support the identity key location. This will allow existing scripts to be more easily converted from SSH to TSH. For example, currently you would type the following for SSH;
ssh -l nikatjef -i /home/nikatjef/.ssh/id_rsa <remote host>

Then to port a script from SSH to TSH, it would become;
tsh ssh -l nikatjef -i /home/nikatjef/.tsh/nikatjef <remote host>

Or with your Ansible change;
ssh -l nikatjef -i /home/nikatjef/.tsh/nikatjef <remote host>

[klizhentas]

this looks good to me. @nikatjef I think what @kontsevoy proposes is exactly what you have just described - -i flag will be compatible with SSH behavior:

tsh ssh -i /home/nikatjef/.ssh/id_rsa login@host

will work with Ev's proposal as well.

[kontsevoy]

@nikatjef correct, the proposed behavior is 100% compatible with OpenSSH and existing scripts. -l means "login" and -i means "identity" and tsh will support both.

[kontsevoy]

Done.