Teleport 10 Test Plan #13340
Comments
r0mant
added
bug
test-plan
|
Looks like we "regressed" and increased the GLIBC dependency again. Edit: this appears to be related to the Rust version. Reverting to 1.58.1 seems to fix it. I will downgrade for now: #13544 |
|
A few preliminary findings:
$ tctl -c ./teleport.yaml users ls
> 2022-06-15T17:29:04-03:00 WARN Disabling host user creation as this feature is only available on Linux config/configuration.go:998
$ teleport start -c ./teleport.yaml
> 2022-06-15T17:28:58-03:00 WARN Disabling host user creation as this feature is only available on Linux config/configuration.go:998
Repro by adding >1 credential and then >1 users. 😢 I'll focus on (3), (1) and (2) are easy pickings if someone wants to fix them. |
|
@lxea Could you take a look at "1" and "2" from Alan's comment above? |
|
I noticed in the audit log when I do anything on my database (mysql) the log entries always show [undefined], even if I select a database explicitly during my session with "use ". Looks like this: edit: found an issue for this #5903 It appears the behavior is to always show the database name used on login. So if I do |
|
I found a |
Not concerned this is a blocker, and may actually just be the test plan being incorrect. This command fails with Do we want to update the test plan with the correct command ? I imagine eventually it would be nice if user's didn't have to provide this flag for the command to work, but given how we currently switch in the implementation between two modes, it will probably involve rewriting |
|
Discovered a regression with using the configuration output by I'll write a fix for this today and we should be able to get it merged down asap. This fix has been merged down to branch/v10 and I can confirm the regression appears to be fixed. |
|
Found a regression in Edit: fixed in #13596 |
|
Possible regression: I can't join/view my own sessions despite having permissions to do so. Am I missing something in https://goteleport.com/docs/ver/10.0/access-controls/reference/? |
|
Some issues I ran into while testing kube access locally:
Click for example
> tsh kube exec --tty --stdin shell-demo /bin/sh
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x106905790]
goroutine 1 [running]:
main.(*StreamOptions).SetupTTY(0x14000abe410)
/Users/gavin/work/teleport/tool/tsh/kube.go:281 +0x180
main.(*ExecOptions).Run(0x14000abe410)
/Users/gavin/work/teleport/tool/tsh/kube.go:356 +0x280
main.(*kubeExecCommand).run(0x14000674600, 0x0?)
/Users/gavin/work/teleport/tool/tsh/kube.go:467 +0x388
main.Run({0x1075eac90, 0x140006f1540}, {0x140001b6010, 0x6, 0x6}, {0x0, 0x0, 0x300000002?})
/Users/gavin/work/teleport/tool/tsh/tsh.go:896 +0x12e98
main.main()
/Users/gavin/work/teleport/tool/tsh/tsh.go:396 +0x2c0
[19:16:57] gavin@mac ~ [SIGINT]
> kubectl exec -it shell-demo -- /bin/sh
# whoami
root
Click for example
[19:08:20] gavin@mac ~ [1]
> rm -rf ~/.tsh
[19:09:07] gavin@mac ~
> tenv show
TELEPORT_CLUSTER=cluster2
TELEPORT_DEV_OUT=/tmp/out2.log
TELEPORT_CONFIG_FILE=/Users/gavin/teleport-config/nodes/cluster2.yaml
TELEPORT_USER=alice
TELEPORT_DEV_CONFIG_FILE=/Users/gavin/teleport-config/nodes/cluster2.yaml
TELEPORT_PROXY=proxy2.local.gd:4080
[19:09:11] gavin@mac ~
> bat ~/.kube/config | rg "exec" -A 10
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- kube
- credentials
- --kube-cluster=minikube
- --teleport-cluster=cluster1
- --proxy=proxy1.local.gd:3080
- --insecure
command: /Users/gavin/work/teleport/build/tsh
env: null
[19:09:41] gavin@mac ~
> kubectl get pods
Enter password for Teleport user alice:
WARNING: You are using insecure connection to SSH proxy https://proxy1.local.gd:3080
ERROR: SSH cert not available
Unable to connect to the server: getting credentials: exec: executable /Users/gavin/work/teleport/build/tsh failed with exit code 1
[19:09:57] gavin@mac ~ [1]
> kubectl get pods
NAME READY STATUS RESTARTS AGE
shell-demo 1/1 Running 0 75m |
I'm not sure if this would fix the outlined issue, but I noticed recently that a couple of c.Flag("teleport-cluster", "Name of the teleport cluster to get credentials for.").Required().StringVar(&c.teleportCluster)becomes c.Flag("teleport-cluster", "Name of the teleport cluster to get credentials for.").Required().Envar(clusterEnvVar).StringVar(&c.teleportCluster) ssh.Flag("cluster", clusterHelp).Short('c').StringVar(&cf.SiteName)becomes ssh.Flag("cluster", clusterHelp).Envar(clusterEnvVar).Short('c').StringVar(&cf.SiteName) |
|
Regression due to #12934: Basically the logic between Lines 81 to 104 in 77b35b8 The latter does not ( Lines 163 to 167 in 77b35b8 The result is that we try to get definition for role which we do not have in the leaf cluster and we may not have permission to do so. For example, given clusters kind: trusted_cluster
metadata:
id: 1655472056507184000
name: boson.tener.io
spec:
enabled: true
role_map:
- local:
- access
remote: access
token: foo
tunnel_addr: boson.tener.io:3080
web_proxy_addr: boson.tener.io:3080
version: v2We will get errors when I'm unlikely to have the time to fix it before my PTO. |
|
found an issue with the "Instance" role and the EC2 join method #13677 |
|
I found an issue with |
|
I don't know if this is an issue or not, but I had a hard time figuring out why it does not work the way I would expect it to work. There is an inconsistency between how we treat LDAP discovered hosts vs static hosts. Scenario 1: LDAP hosts windows_desktop_service:
...
discovery:
base_dn: "*"
host_labels:
- match: '^.*\.example\.com$'
labels:
environment: devUsing this configuration if the discovered host has dns host name set as Scenario 2: Static hosts windows_desktop_service:
...
hosts:
- EXAMPLE-82K6DLP.example.com
host_labels:
- match: '^.*\.example\.com$'
labels:
environment: devUsing this configuration, with the same regexp and the same dns host name for a static host we won't get a regexp match and this host won't have an extra label. The reason being for that is in case of static hosts, we do try to match regexp against teleport/lib/srv/desktop/windows_server.go Lines 982 to 989 in ca52099 Since I don't know if this was intended or we should fix it by changing the behavior of it to just use host without port it would be great if @zmb3 could take a look into my comment as I think he is the author of this functionality. |
|
@LKozlowski I don't think we ever noticed this before, but technically regex-based labeling is working as intended, we're just not clear in the docs or examples that the port is included. Feels like the simplest thing would be to remove the |
|
That will end up match anything with an |
|
I found an issue with desktop access scroll behavior: #13690 |
Sure, that works. Or I'm also fine not matching against the host and not the port. I don't see this as a major issue since it has always been this way, and few people use static hosts. |
Favor newer Touch ID credentials in the allowed set for MFA, or just the newer credential for passwordless. Fixes a capture-by-reference bug and adds coverage for it. Issue #13340. * Add tests for Touch ID credential-choosing logic * Favor newer Touch ID credentials within the allowed set * Warn about origin vs RPID mismatch
|
@nklaassen #13529 should fix the EC2 labels error. |
I just wanted to bring it up as it wasn't clear for me when I was testing it, but I agree that it is working fine. As you said, we just need to either update docs or slightly update the code. Anyway, I'll mark it in the test plan as working and we'll just improve it later so it doesn't block the v10 release. |
Favor newer Touch ID credentials in the allowed set for MFA, or just the newer credential for passwordless. Fixes a capture-by-reference bug and adds coverage for it. Issue #13340. * Add tests for Touch ID credential-choosing logic * Favor newer Touch ID credentials within the allowed set * Warn about origin vs RPID mismatch
#13712) Favor newer Touch ID credentials in the allowed set for MFA, or just the newer credential for passwordless. Fixes a capture-by-reference bug and adds coverage for it. Issue #13340. Backports #13672 and #13761. * Add tests for Touch ID credential-choosing logic * Favor newer Touch ID credentials within the allowed set * Warn about origin vs RPID mismatch * Do not dereference assertion before checking for nil
|
Found a compatibility issue between v9 leafs and v10 roots related to the new database CA: |
|
Is |
We should probably filter out that one and the |
|
|
|
|
|
I'm seeing a "session data" event that I'm not used to seeing which renders with a missing session ID in the audit log.
It's not just a UI thing, the JSON for the event has |
|
Direct Dial Nodes unreachable because they are reporting an address of |
|
Reverse Tunnel Nodes getting stuck initializing and not connecting: #13911 |
etcd 500 TC Scaling Test
|
|
Something minor I just noticed: my (idle) local teleport was spamming a session recording warning (shutdown logs included): I didn't do anything special with the cluster today, other than a few login attempts. Posting here in case it rings a bell for someone. |
This happened to me as well and adding |
Should be fixed by #13826, fixing the warning in a running cluster involves manually deleting the file in the recordings I think. |
|
Can't get passwordless scenario to work as described in the test plan:
Logs: cc @codingllama |
@r0mant could you double-check that you are using |
|
@codingllama @r0mant all clear on the passwordless test plan for me on macOS. |
etcd Soak Testkubectl logs -n loadtest-tross soaktest-pvnlr-6gv5f -f
+ tsh --insecure --proxy=monster.gravitational.co:3080 -i /etc/teleport/auth -l root ls -f names
node-65c8f5c9db-5zzfd
iot-node-5b4f7757f8-f2966
----Direct Dial Node Test----
+ tsh --insecure --proxy=monster.gravitational.co:3080 -i /etc/teleport/auth bench --duration=30m root@node-65c8f5c9db-5zzfd ls
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 157 ms
50 162 ms
75 168 ms
90 174 ms
95 178 ms
99 193 ms
100 474 ms
+ tsh --insecure --proxy=monster.gravitational.co:3080 -i /etc/teleport/auth bench --duration=30m --interactive root@node-65c8f5c9db-5zzfd ps aux
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 159 ms
50 164 ms
75 170 ms
90 175 ms
95 180 ms
99 195 ms
100 5179 ms
+ tsh --insecure --proxy=monster.gravitational.co:3080 -i /etc/teleport/auth bench --duration=30m root@iot-node-5b4f7757f8-f2966 ls
----Reverse Tunnel Node Test----
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 155 ms
50 160 ms
75 166 ms
90 172 ms
95 178 ms
99 193 ms
100 418 ms
+ tsh --insecure --proxy=monster.gravitational.co:3080 -i /etc/teleport/auth bench --duration=30m --interactive root@iot-node-5b4f7757f8-f2966 ps aux
* Requests originated: 17999
* Requests failed: 0
Histogram
Percentile Response Duration
---------- -----------------
25 154 ms
50 159 ms
75 165 ms
90 170 ms
95 175 ms
99 192 ms
100 5171 msetcd 10k Reverse Tunnel Nodes
https://teleportcoreteam.grafana.net/goto/vJFIH33nk?orgId=1 etcd 10k Direct Dial Nodes
|
|
Aggregate last 3 releases.
|
500 TC Scaling Test (DynamoDB)
note: Initial dynamo 10k tests are not complete yet due to issues with the test automation, but I've gotten up to a 6k dynamo cluster without any issues on teleport's end of things. Working on re-running with different automation. |
10K Dynamo IoTedit: See #13340 (comment) for updated bench numbers.
Note: benches run concurrently with scaling and against nodes in a different region/cloud, which I think explains the differences in response duration. Looking into it. |
10K Dynamo Non-IoT
Note: these benches were run against individual bare-metal nodes within a 2-node cluster with tsh located within the same vpc as the auth, proxy, and nodes. |
DynamoDB Small Cluster Bench(previously posted dynamodb bench numbers were from a 10k cluster with sub-optimal network conditions, and therefore not particularly useful for comparison) |
Manual Testing Plan
Below are the items that should be manually tested with each release of Teleport.
These tests should be run on both a fresh install of the version to be released
as well as an upgrade of the previous version of Teleport.
Adding nodes to a cluster @avatus
Labels @avatus
Trusted Clusters @EdwardDowling @hugoShaka
RBAC @alistanis
Make sure that invalid and valid attempts are reflected in audit log.
Verify that custom PAM environment variables are available as expected. @xacrimon
Users @codingllama
With every user combination, try to login and signup with invalid second
factor, invalid password to see how the system reacts.
WebAuthn in the release
tshbinary is implemented using libfido2. Ask fora statically built pre-release binary for realistic tests. (
tsh fido2 diagshould work in our binary.)
Touch ID requires a signed
tsh, ask for a signed pre-release binary so youmay run the tests.
Adding Users Password Only
Adding Users OTP
Adding Users WebAuthn
Adding Users Touch ID
Managing MFA devices
tsh mfa addtsh mfa addtsh mfa addtsh mfa lstsh mfa rmtsh mfa rmsecond_factor: oninauth_service, should failsecond_factor: optionalinauth_service, should succeedLogin Password Only
Login with MFA
tsh mfa addU2F devices must be registered in a previous version of Teleport.
Using Teleport v9, set
auth_service.authentication.second_factor = u2f,restart the server and then register an U2F device (
tsh mfa add). Upgradethe install to the current Teleport version (one major at a time) and try to
login using the U2F device as your second factor - it should work.
Login OIDC @Tener
Login SAML @Tener
Login GitHub @Tener
Deleting Users @Tener
Backends
Session Recording @gabrielcorado
Audit Log @gabrielcorado
Failed login attempts are recorded
Interactive sessions have the correct Server ID
Node/Proxy ID may be found at
/var/lib/teleport/host_uuidin thecorresponding machine.
Node IDs may also be queried via
tctl nodes ls.Exec commands are recorded
scpcommands are recordedSubsystem results are recorded
Subsystem testing may be achieved using both
Recording Proxy mode
and
OpenSSH integration.
Assuming the proxy is
proxy.example.com:3023andnode1is a node runningOpenSSH/sshd, you may use the following command to trigger a subsystem audit
log:
sftp -o "ProxyCommand ssh -o 'ForwardAgent yes' -p 3023 %[email protected] -s proxy:%h:%p" root@node1Interact with a cluster using
tsh@alistanis @hugoShakaThese commands should ideally be tested for recording and non-recording modes as they are implemented in a different ways.
Interact with a cluster using
ssh@JoergerMake sure to test both recording and regular proxy modes.
Verify proxy jump functionality @Joerger
Log into leaf cluster via root, shut down the root proxy and verify proxy jump works.
Interact with a cluster using the Web UI @Joerger
User accounting @xacrimon
/var/run/utmpon Linux./var/log/wtmpon Linux.Combinations @capnspacehook
For some manual testing, many combinations need to be tested. For example, for
interactive sessions the 12 combinations are below.
Teleport with EKS/GKE @tigrato
Teleport with multiple Kubernetes clusters @tigrato
Note: you can use GKE or EKS or minikube to run Kubernetes clusters.
Minikube is the only caveat - it's not reachable publicly so don't run a proxy there.
tsh login, check thattsh kube lshas your clusterkubectl get nodes,kubectl exec -it $SOME_POD -- shtsh login, check thattsh kube lshas your clusterkubectl get nodes,kubectl exec -it $SOME_POD -- shtsh login, check thattsh kube lshas your clusterkubectl get nodes,kubectl exec -it $SOME_POD -- shtsh login, check thattsh kube lshas both clusterstsh kube loginkubectl get nodes,kubectl exec -it $SOME_POD -- shon the new clustertsh login, check thattsh kube lshas all clustersnameandlabelsStep 2login value matching the rowsnamecolumnnameorlabelsin the search bar worksnamecolumTeleport with FIPS mode @alistanis @r0mant
ACME @rudream
Migrations @hugoShaka
SSH should work for both main and old clusters
SSH should work
Command Templates
When interacting with a cluster, the following command templates are useful:
OpenSSH
Teleport
Teleport with SSO Providers @ptgott @Tener
tctl ssofamily of commands @Tenertctl sso configurehelps to construct a valid connector definition:tctl sso configure github ...creates valid connector definitionstctl sso configure oidc ...creates valid connector definitionstctl sso configure saml ...creates valid connector definitionstctl sso testtest a provided connector definition, which can be loaded fromfile or piped in with
tctl sso configureortctl get --with-secrets. Validconnectors are accepted, invalid are rejected with sensible error messages.
tctl sso test.Teleport Plugins @marcoandredinis
AWS Node Joining @nklaassen
Docs
ec2:DescribeInstancespermissions for local account:TELEPORT_TEST_EC2=1 go test ./integration -run TestEC2NodeJoinTELEPORT_TEST_EC2=1 go test ./integration -run TestIAMNodeJoinPasswordless @r0mant @espadolini
Passwordless requires
tshcompiled with libfido2 for most operations (apartfrom Touch ID). Ask for a statically-built
tshbinary for realistic tests.Touch ID requires a properly built and signed
tshbinary. Ask for apre-release binary so you may run the tests.
This sections complements "Users -> Managing MFA devices". Ideally both macOS
and Linux
tshbinaries are tested for FIDO2 items.Diagnostics
Both commands should pass all tests.
tsh fido2 diagtsh touchid diagRegistration
tsh mfa add, choose WEBAUTHN andpasswordless)
tsh mfa add, choose TOUCHID)Login
tsh login --auth=passwordless)tsh login --auth=passwordless)tsh login --auth=passwordless --mfa-mode=cross-platformuses FIDO2tsh login --auth=passwordless --mfa-mode=platformuses Touch IDtsh login --auth=passwordless --mfa-mode=autoprefers Touch ID(
auth_service.authentication.passwordless = false)(
auth_service.authentication.connector_name = passwordless)(
tsh login --auth=local)Touch ID support commands
tsh touchid lsworkstsh touchid rmworks (careful, may lock you out!)WEB UI @kimlisa @rudream @hatched
Main
For main, test with a role that has access to all resources.
Top Nav
Side Nav
>, and expand has iconvServers aka Nodes
Add Serverbutton renders dialogue set toAutomaticallyviewRegenerate Scriptregenerates token value in the bash commandManuallytab renders manual stepsAutomaticallytab renders bash commandApplications
Add Applicationbutton renders dialogueGenerate Script, bash command is renderedRegeneratebutton regenerates token value in bash commandDatabases
Add Databasebutton renders dialogue for manual instructions:Step 4changesStep 5commandsActive Sessions
Audit log
Session Endedevent icon, takes user to session playerdetailsbuttonUsers
Auth Connectors
Roles
Managed Clusters
Help & Support
Access Requests
Access Request is a Enterprise feature and is not available for OSS.
Creating Access Requests (Role Based)
Create a role with limited permissions
allow-roles-and-nodes. This role allows you to see the Role screen and ssh into all nodes.Create another role with limited permissions
allow-users-with-short-ttl. This role session expires in 4 minutes, allows you to see Users screen, and denies access to all nodes.Create a user that has no access to anything but allows you to request roles:
allow-roles-and-nodesandallow-users-with-short-ttlare listedCreating Access Requests (Search Based)
Create a role with access to searcheable resources (apps, db, kubes, nodes, desktops). The template
searcheable-resourcesis below.Create a user that has no access to resources, but allows you to search them:
searcheable-resourcesrulesViewing & Approving/Denying Requests
Create a user with the role
reviewerthat allows you to review all requests, and delete them.Assuming Approved Requests (Role Based)
allow-roles-and-nodesallows you to see roles screen and ssh into nodesallow-roles-and-nodes, verify that assumingallow-users-short-ttlallows you to see users screen, and denies access to nodesswitching backgoes back to your default static roleallow-users-short-ttlrole, the user is automatically logged out after the expiry is met (4 minutes)Assuming Approved Requests (Search Based)
Assuming Approved Requests (Both)
Access Request Waiting Room
Strategy Reason
Create the following role:
request_promptsettingsend request, pending dialogue rendersStrategy Always
With the previous role you created from
Strategy Reason, changerequest_accesstoalways:Logoutand clicking goes back to the login screenStrategy Optional
With the previous role you created from
Strategy Reason, changerequest_accesstooptional:Terminal
Node List Tab
Session Tab
$ sudo apt-get install mc$ mcSession Player
Invite and Reset Form
Login Form and Change Password
Multi-factor Authentication (mfa)
Create/modify
teleport.yamland set the following authentication settings underauth_serviceMFA invite, login, password reset, change password
second_factortype toonand verify that mfa is required (no optionnonein dropdown)MFA require auth
Go to
Account Settings>Two-Factor Devicesand register a new deviceUsing the same user as above:
MFA Management
second_factorset tooffdisables adding devicesPasswordless
Cloud
From your cloud staging account, change the field
teleportVersionto the test version.Recovery Code Management
Invite/Reset
Recovery Flow: Add new mfa device
Recovery Flow: Change password
Recovery Email
RBAC
Create a role, with no
allow.rulesdefined:Add Server, Application, Databases, Kubernetesbutton in each respective viewServers,Apps,Databases, andKubernetesare listed underoptionsbutton inManage ClustersNote: User has read/create access_request access to their own requests, despite resource settings
Add the following under
spec.allow.rulesto enable read access to the audit log:Audit LogandSession Recordingsis accessibleAdd the following to enable read access to recorded sessions
Add the following to enable read access to the roles
Add the following to enable read access to the auth connectors
Add the following to enable read access to users
Add the following to enable read access to trusted clusters
Performance/Soak Test @rosstimothy @espadolini
Using
tsh benchtool, perform the soak tests and benchmark tests on the following configurations:Cluster with 10K nodes in normal (non-IOT) node mode with ETCD
Cluster with 10K nodes in normal (non-IOT) mode with DynamoDB
Cluster with 1K IOT nodes with ETCD
Cluster with 1K IOT nodes with DynamoDB
Cluster with 500 trusted clusters with ETCD
Cluster with 500 trusted clusters with DynamoDB
Soak Tests
Run 4hour soak test with a mix of interactive/non-interactive sessions:
Observe prometheus metrics for goroutines, open files, RAM, CPU, Timers and make sure there are no leaks
Breaking load tests
Load system with tsh bench to the capacity and publish maximum numbers of concurrent sessions with interactive
and non interactive tsh bench loads.
Teleport with Cloud Providers
AWS @lxea
GCP @EdwardDowling
IBM @r0mant
Application Access @strideynet
debug_app: trueworks.name.rootProxyPublicAddrand well aspublicAddr.name.rootProxyPublicAddr.app.session.startandapp.session.chunkevents are created in the Audit Log.app.session.chunkpoints to a 5 minute session archive with multipleapp.session.requestevents inside.tsh play <chunk-id>can fetch and print a session chunk archive.tsh app login.tsh awscommands.tctl create.tctl create -f.tctl rm.Add Applicationdialogue works (refresh app screen to see it registered)Database Access @smallinsky
db.session.startis emitted when you connect.db.session.endis emitted when you disconnect.db.session.queryis emitted when you execute a SQL query.tsh db lsshows only databases matching role'sdb_labels.db_users.db_names.db.session.startis emitted when connection attempt is denied.db_names.db.session.queryis emitted when command fails due to permissions.tsh db connect.tctl create.tctl create -f.tctl rm.name,description,type, andlabelsStep 2login value matching the rowsnamecolumnlabelsTLS Routing @smallinsky
v2configuration starts only a single listener.multiplexmodeauth_service.proxy_listener_mode: "multiplex"web_proxy_addr == tunnel_addrtsh db connectworks through proxy running inmultiplexmodetsh db proxywith a GUI client.multiplexmodessh -o "ForwardAgent yes" -o "ProxyCommand tsh proxy ssh" [email protected]ssh -o "ForwardAgent yes" -o "ProxyCommand tsh proxy ssh --user=%r --cluster=leaf-cluster %h:%p" [email protected]tsh sshaccess through proxy running in multiplex modemultiplexmodeDesktop Access
Basic Sessions (@LKozlowski)
listen_addr):hostssection.hostssection.windows_desktop_services to the same Teleport cluster,verify that connections to desktops on different AD domains works. (Attempt to
connect several times to verify that you are routed to the correct
windows_desktop_service)User Input (@ibeckermayer)
Verify user input
verify all keys are processed correctly in each supported browser. Known
issues: F11 cannot be captured by the browser without
special configuration
on MacOS.
the desktop should show a Windows menu, not a browser context menu)
Horizontal Scroll Test
Locking and access (@ibeckermayer)
client_idle_timeoutto a small value and verify that idle sessionsare terminated (the session should end and an audit event will confirm it
was due to idle connection)
Labeling (@LKozlowski)
teleport.dev/originlabel.teleport.devlabels for OS, OSVersion, DNS hostname, and OU.
origin.
RBAC (@zmb3)
Clipboard Support (@zmb3)
Per-Session MFA (try webauthn on each of Chrome, Safari, and Firefox) @zmb3
Session Recording (@LKozlowski)
mode: node-syncormode: proy-sync)mode: nodeormode: proxy)and the progress bar progresses to the end.
a relevant error message.
using the RBAC rule from our
docs
Audit Events (check these after performing the above tests) (@ibeckermayer)
windows.desktop.session.start(TDP00I) emitted on startwindows.desktop.session.start(TDP00W) emitted when session fails tostart (due to RBAC, for example)
windows.desktop.session.end(TDP01I) emitted on enddesktop.clipboard.send(TDP02I) emitted for local copy -> remotepaste
desktop.clipboard.receive(TDP03I) emitted for remote copy -> localpaste
Binaries compatibility @fheinecke
Machine ID @timothyb89
SSH
With a default Teleport instance configured with a SSH node:
tctl bots add robot --roles=access. Follow the instructions provided in the output to starttbotssh_configin the destination directorySIGUSR1andSIGHUPto a running tbot process causes a renewal and new certificates to be generatedEnsure the above tests are completed for both:
DB Access
With a default Postgres DB instance, a Teleport instance configured with DB access and a bot user configured:
tbot dbwhiletbot startis runningTeleport Connect @ravicious @gzdunek @avatus
(
auth_service.authenticationin the cluster config):type: local,second_factor: "off"type: local,second_factor: "otp"type: local,second_factor: "webauthn"type: local,second_factor: "optional", log in without MFAtype: local,second_factor: "optional", log in with OTPtype: local,second_factor: "optional", log in with hardware keytype: local,second_factor: "on", log in with OTPtype: local,second_factor: "on", log in with hardware keyOr set up the connectors on a local enterprise cluster following the guide from our wiki.
workspace should have no impact on the original shell session.
TELEPORT_PROXYandTELEPORT_CLUSTERshould pin the session to the correct cluster.TELEPORT_HOMEshould point to~/Library/Application Support/Teleport Connect/tsh.PATHshould include/Applications/Teleport Connect.app/Contents/Resources/bin.(only for local terminals).
$ sudo apt-get install mc$ mc$ exitcommand.properly.
works.
~/Library/Application Support/Teleport Connect/tshdoesn't crash the app.
~/Library/Application Support/Teleport Connect/app_state.jsonbut not the
tshdir doesn't crash the app.remember previous tabs (they should be cleared on logout).
belong to.
spec.allow.loginsandspec.allow.db_users.tsh proxy dbwith the same port, start the app.Verify that the app doesn't crash and the db connection tab shows you the error (address in
use) and offers a way to retry creating the connection.
Cmd+[1...9].elements.
workspace of that cluster automatically.
switching to another cluster) and return to the previous workspace.
autocompletes them.
autocompletes them.
running.
various points.
command bar.
local shell with that command running.
Verify that no unrecoverable error was raised. Then restart the app and verify that it was
restarted gracefully (no unrecoverable error on restart, the user can continue using the app).
1m(
spec.options.max_session_ttl)."Sync" on the cluster tab.
select now();, the client should be able to automatically reinstantiate the connection.if it connects without problems. You might need to resync the cluster again in case they
managed to expire.
the cluster.
completes doesn't show the login modal and instead immediately shows the error.
enough. Perhaps enabling throttling in dev tools can help too.
user; wait for the cert to expire, click "Sync", verify that the db tab with no access shows an
appropriate error and that the other db tab still handles old and new connections.
~/Library/Application\ Support/Teleport\ Connect/logs. @raviciousworks properly after that. @gzdunek
Host users creation @jakule
Host users creation docs
Host users creation RFD
teleport-systemgroupdisable_create_host_user: truestops user creation from occurringCA rotations @espadolini
tctl get cert_authority)standbyphase: onlyactive_keys, noadditional_trusted_keysinitphase:active_keysandadditional_trusted_keysupdate_clientsandupdate_serversphases: the certs from theinitphase are swappedstandbyphase: only the new certs remain inactive_keys, nothing inadditional_trusted_keysrollbackphase (second pass, after completing a regular rotation): same content as in theinitphasestandbyphase afterrollback: same content as in the previousstandbyphasedbauthority #13793tsh app loginkubectl get poaftertsh kube loginIP-based validation
SSH @probakowski
pin_source_ip: trueoption can be added in role definitiontsh sshworks when invoked from the same machine/IP that was used for logging intsh sshprompts for relogin when invoked from different machine (copy certs after login)sshdserver works as above in both casessshworks as above in both casestsh status -dshows pinned IPThe text was updated successfully, but these errors were encountered: