Support disconnect_expired_cert for database access

[r0mant]

Feature Request

Teleport provides a disconnect_expired_cert setting that can be set cluster-wide on the auth server and/or on the role level which controls whether an active connection should be terminated in case of the client certificate expiration. This setting currently does not have any effect on the database access connections.

To add support, database access connections should use the same monitor used by SSH server and Kubernetes forwarder:

https://github.com/gravitational/teleport/blob/v6.0.0-alpha.2/lib/srv/ctx.go#L335
https://github.com/gravitational/teleport/blob/v6.0.0-alpha.2/lib/kube/proxy/forwarder.go#L1261

Motivation

This setting is important for compliance purposes.

Who's it for?

OSS User, Pro, Enterprise, Cloud

[klizhentas]

Let's add support for per-session certs here as well.

[r0mant]

Let's add support for per-session certs here as well.

@klizhentas Per-session certs are used only in scope of per-session MFA currently - did you mean per-session MFA here (which we'd likely need some client-side proxy for), or did you mean some other behavior to issue very short lived (1m) certs and make users reauth for each db session?

[klizhentas]

@r0mant I'd say bring per session MFA and proxy in scope of 7.0 for your team, yes.

Some thoughts:

• We need TLS SNI routing to reduce the amount of ports anyways and for cloud
• If we have proxy support something like

tsh proxy ssh root@localhost

(spins up local ephemeral in process proxy socket, may be in a separate net namespace, launches command ssh)

This will solve another problem for @russjones with c-te (ask him about it)

• If we have the new proxy support per-session MFA as well, this will cover all other missing protocols (DB access, APP access).

Probably need an RFD for this and work on it in a separate issue :)