ssh to wrong node

[wllenyj]

What happened:
When i click the root button from web, ssh to wrong node. ifconfig display the different ip to the Address of web. And it is always ssh to the same wrong node.

What you expected to happen:
SSH to right node.

How to reproduce it (as minimally and precisely as possible):
The Hostname of the wrong node is the same of all. And Tips：'abrt-cli status' timed out

Environment:

• Teleport version (use teleport version): v3.0.1
• Tsh version (use tsh version): v3.0.1
• OS (e.g. from /etc/os-release):Centos 7.2

Browser environment
chrome

• Browser Version (for UI-related issues): 70.0.3538.102
• Install tools:
• Others:

Relevant Debug Logs If Applicable

• tsh --debug
• teleport --debug

[klizhentas]

can you add a little more information for us?, for example, tctl get nodes output will be helpful here

[cove]

I think this is the same issue I ran into from our convo in slack.

It looks like GuessHostIP() might be picking up the IPv6 loopback on the node instead of the routable IPv4 address, though there was a fix for this 98be2a5. Since I'm testing the enterprise version I can't tell if that commit is applied and I haven't tested the OSS version. Here's how one of my nodes (the auth server shows up):

[root@auth ~]# tctl get nodes
- kind: node
  metadata:
    expires: 2018-11-30T19:03:26.006715312Z
    name: 4513166f-6a36-443e-bd19-c136950e8d60
  spec:
    addr: '[::1]:3022'
    hostname: auth
    rotation:
      current_id: ""
      grace_period: 0s
      last_rotated: 0001-01-01T00:00:00Z
      schedule:
        standby: 0001-01-01T00:00:00Z
        update_clients: 0001-01-01T00:00:00Z
        update_servers: 0001-01-01T00:00:00Z
      started: 0001-01-01T00:00:00Z
  version: v2

Here's what it looks like from the user perspective, where the short node name uses the IPv6 loopback address above and logins into the proxy, and if you use the FQDN is appears to resolve the IPv4 address in DNS and connects to the right node:

% tsh ssh root@auth
[root@proxy ~]# logout
the connection was closed on the remote side on  30 Nov 18 11:17 PST
% tsh ssh root@auth.<fqdn>
[root@auth ~]#

Secondly the reason that the SSH succeeds is due to CheckHostSignature() not validating the Principal.

[wllenyj]

can you add a little more information for us?, for example, tctl get nodes output will be helpful here

I guess that web find node by hostname as unique id. So if hostname is same, should ssh
to the first one in list.

- kind: node
  metadata:
    expires: 2018-12-04T02:52:50.312417901Z
    name: 826296e7-7be0-4c97-94da-1922b8bd0e57
  spec:
    addr: xx.xx.xx.14:3022
    cmd_labels:
      kernel:
        command:
        - uname
        - -r
        period: 1h0m0s
        result: 3.10.0-327.el7.x86_64
    hostname: localhost
    rotation:
      current_id: ""
      grace_period: 0s
      last_rotated: 0001-01-01T00:00:00Z
      schedule:
        standby: 0001-01-01T00:00:00Z
        update_clients: 0001-01-01T00:00:00Z
        update_servers: 0001-01-01T00:00:00Z
      started: 0001-01-01T00:00:00Z
  version: v2
- kind: node
  metadata:
    expires: 2018-12-04T02:52:49.491324807Z
    name: 0c7f0a32-7609-4418-83f0-21e40d497368
  spec:
    addr: xx.xx.xx.18:3022
    cmd_labels:
      kernel:
        command:
        - uname
        - -r
        period: 1h0m0s
        result: 3.10.0-327.el7.x86_64
    hostname: localhost
    rotation:
      current_id: ""
      grace_period: 0s
      last_rotated: 0001-01-01T00:00:00Z
      schedule:
        standby: 0001-01-01T00:00:00Z
        update_clients: 0001-01-01T00:00:00Z
        update_servers: 0001-01-01T00:00:00Z
      started: 0001-01-01T00:00:00Z
  version: v2

[kontsevoy]

I think the ability to SSH into a wrong node by accident is a dangerous one. You may SCP something into the wrong hands without noticing.

Proposal for CLI

If the target argument to tsh ssh target or tsh scp target is not a label, the client must request a list of nodes matching the target and if there is more than one, it should refuse connecting with a non-zero exist status and the following going to stderror:

$ tsh ssh db-master
There are multiple nodes named `db-master`. Use an IP address or a node ID:
Name            Address           Node ID
--------------  ---------------   ----------------------------
db-master       10.5.12.1         16a9124d-708b-43bb-bfa4-8a4970cbf20d
db-master       10.5.12.2         aea74d77-82ba-4764-88ba-20b038400d20

@klizhentas please review.

[klizhentas]

sounds good, but could potentially break some automation scripts relying on the old behavior.

[kontsevoy]

BTW if the running cost of tsh ssh becomes comparable to tsh ls let's punt this until "Pleasanton" is released.

[klizhentas]

@kontsevoy removing this from the milestone for now

[benarent]

I've had input from another customer that this is an issue. I've labelled the issue and added it to a milestone.