diff --git a/lib/client/client.go b/lib/client/client.go index 31d88c5a58093..2b7e78d302cd9 100644 --- a/lib/client/client.go +++ b/lib/client/client.go @@ -1477,7 +1477,9 @@ func (proxy *ProxyClient) ConnectToNode(ctx context.Context, nodeAddress NodeDet HostKeyCallback: proxy.hostKeyCallback, } - nc, err := NewNodeClient(ctx, sshConfig, pipeNetConn, nodeAddress.ProxyFormat(), proxy.teleportClient, details.FIPSEnabled) + nc, err := NewNodeClient(ctx, sshConfig, pipeNetConn, + nodeAddress.ProxyFormat(), nodeAddress.Addr, + proxy.teleportClient, details.FIPSEnabled) return nc, trace.Wrap(err) } @@ -1523,12 +1525,13 @@ func (proxy *ProxyClient) PortForwardToNode(ctx context.Context, nodeAddress Nod HostKeyCallback: proxy.hostKeyCallback, } - nc, err := NewNodeClient(ctx, sshConfig, proxyConn, nodeAddress.Addr, proxy.teleportClient, details.FIPSEnabled) + nc, err := NewNodeClient(ctx, sshConfig, proxyConn, nodeAddress.Addr, "", proxy.teleportClient, details.FIPSEnabled) return nc, trace.Wrap(err) } -// NewNodeClient constructs a NodeClient that is connected to the node at nodeAddress -func NewNodeClient(ctx context.Context, sshConfig *ssh.ClientConfig, conn net.Conn, nodeAddress string, tc *TeleportClient, fipsEnabled bool) (*NodeClient, error) { +// NewNodeClient constructs a NodeClient that is connected to the node at nodeAddress. +// The nodeName field is optional and is used only to present better error messages. +func NewNodeClient(ctx context.Context, sshConfig *ssh.ClientConfig, conn net.Conn, nodeAddress, nodeName string, tc *TeleportClient, fipsEnabled bool) (*NodeClient, error) { ctx, span := tc.Tracer.Start( ctx, "NewNodeClient", @@ -1543,11 +1546,14 @@ func NewNodeClient(ctx context.Context, sshConfig *ssh.ClientConfig, conn net.Co if err != nil { if utils.IsHandshakeFailedError(err) { conn.Close() + if nodeName == "" { + nodeName = nodeAddress + } // TODO(codingllama): Improve error message below for device trust. // An alternative we have here is querying the cluster to check if device // trust is required, a check similar to `IsMFARequired`. - log.Infof("Access denied to %v connecting to %v: %v", sshConfig.User, nodeAddress, err) - return nil, trace.AccessDenied(`access denied to %v connecting to %v`, sshConfig.User, nodeAddress) + log.Infof("Access denied to %v connecting to %v: %v", sshConfig.User, nodeName, err) + return nil, trace.AccessDenied(`access denied to %v connecting to %v`, sshConfig.User, nodeName) } return nil, trace.Wrap(err) } diff --git a/lib/web/terminal.go b/lib/web/terminal.go index eeccb7913844d..ba5cbabf28200 100644 --- a/lib/web/terminal.go +++ b/lib/web/terminal.go @@ -663,7 +663,10 @@ func (t *TerminalHandler) streamTerminal(ws *websocket.Conn, tc *client.Teleport HostKeyCallback: tc.HostKeyCallback, } - nc, connectErr := client.NewNodeClient(ctx, sshConfig, conn, net.JoinHostPort(t.sessionData.ServerID, strconv.Itoa(t.sessionData.ServerHostPort)), tc, modules.GetModules().IsBoringBinary()) + nc, connectErr := client.NewNodeClient(ctx, sshConfig, conn, + net.JoinHostPort(t.sessionData.ServerID, strconv.Itoa(t.sessionData.ServerHostPort)), + t.sessionData.ServerHostname, + tc, modules.GetModules().IsBoringBinary()) switch { case connectErr != nil && !trace.IsAccessDenied(connectErr): // catastrophic error, return it t.log.WithError(connectErr).Warn("Unable to stream terminal - failed to create node client") @@ -710,7 +713,10 @@ func (t *TerminalHandler) streamTerminal(ws *websocket.Conn, tc *client.Teleport return } - nc, err = client.NewNodeClient(ctx, sshConfig, conn, net.JoinHostPort(t.sessionData.ServerID, strconv.Itoa(t.sessionData.ServerHostPort)), tc, modules.GetModules().IsBoringBinary()) + nc, err = client.NewNodeClient(ctx, sshConfig, conn, + net.JoinHostPort(t.sessionData.ServerID, strconv.Itoa(t.sessionData.ServerHostPort)), + t.sessionData.ServerHostname, + tc, modules.GetModules().IsBoringBinary()) if err != nil { t.log.WithError(err).Warn("Unable to stream terminal - failed to create node client") t.writeError(err)