puttyconfig: Switch to string-based Validity format and deprecate MatchHosts#32598
Merged
puttyconfig: Switch to string-based Validity format and deprecate MatchHosts#32598
Conversation
webvictim
added
tsh
webvictim
commented
Sep 26, 2023
webvictim
force-pushed
the
gus/tsh-putty-matchhosts-validity
branch
from
04de663 to
739115e
Compare
Contributor
|
🤖 Vercel preview here: https://docs-95dzuasqm-goteleport.vercel.app/docs/ver/14.x |
Contributor
|
🤖 Vercel preview here: https://docs-h27kl3f1l-goteleport.vercel.app/docs/ver/14.x |
Contributor
|
🤖 Vercel preview here: https://docs-278a7fzyj-goteleport.vercel.app/docs/ver/14.x |
Contributor
|
🤖 Vercel preview here: https://docs-h52ccn83z-goteleport.vercel.app/docs/ver/14.x |
nklaassen
reviewed
Sep 27, 2023
Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
…m/gravitational/teleport into gus/tsh-putty-matchhosts-validity
Contributor
|
🤖 Vercel preview here: https://docs-hrdb0nz00-goteleport.vercel.app/docs/ver/14.x |
Contributor
|
🤖 Vercel preview here: https://docs-1pkyragit-goteleport.vercel.app/docs/ver/14.x |
Contributor
|
🤖 Vercel preview here: https://docs-4w0jscrid-goteleport.vercel.app/docs/ver/14.x |
zmb3
approved these changes
Oct 2, 2023
public-teleport-github-review-bot
Bot
removed request for
klizhentas,
r0mant and
timothyb89
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
Contributor
|
🤖 Vercel preview here: https://docs-4tvdg1e02-goteleport.vercel.app/docs/ver/14.x |
|
@webvictim See the table below for backport results.
|
webvictim
added a commit
that referenced
this pull request
Oct 16, 2023
…chHosts (#32598) * puttyconfig: Switch to string-based Validity format and deprecate MatchHosts * Switch to more restrictive, reliable parsing * Add validity string errors to docs * Remove invalid test case * Add test case * Remove any spaces from user-provided input and use sanitized hostname * Apply fixes from code review * Tidy up errors, provide consistent detail about which field contains an error * Disable docs lint for dots in heading This is needed here, as there are 5 error messages which all start the same way but end differently. * Catch a few more error cases * Only delete old MatchHosts key after new Validity key has been written successfully * Apply suggestions from code review Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Address Zac's comments from code review --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
Merged
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Oct 20, 2023
* [v13] tsh: Implement puttyconfig command to add saved PuTTY sessions to Windows registry * docs: `tsh puttyconfig` * docs: Minor cosmetic tweaks to tsh puttyconfig (#29831) Fixes an extra full stop and tenant name which was included accidentally. * puttyconfig: Switch to string-based Validity format and deprecate MatchHosts (#32598) * puttyconfig: Switch to string-based Validity format and deprecate MatchHosts * Switch to more restrictive, reliable parsing * Add validity string errors to docs * Remove invalid test case * Add test case * Remove any spaces from user-provided input and use sanitized hostname * Apply fixes from code review * Tidy up errors, provide consistent detail about which field contains an error * Disable docs lint for dots in heading This is needed here, as there are 5 error messages which all start the same way but end differently. * Catch a few more error cases * Only delete old MatchHosts key after new Validity key has been written successfully * Apply suggestions from code review Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Address Zac's comments from code review --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Add tsh puttyconfig to CLI reference * Add winscp to cspell whitelist * Add WinSCP to PuTTY client instructions (#32868) * Remove duplicate tsh puttyconfig from CLI reference * Fix link to CLI reference --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
At some point during the development of PuTTY 0.78 which added support for SSH user and host certificates, the author switched from storing the list of hostnames to trust for a given public key in a REG_MULTI_SZ called
MatchHosts, to storing them in a REG_SZ calledValidity.tsh puttyconfigwas written to use theMatchHostsformat, PuTTY still contains code to process that format and tsh only needs to work with single hostnames or wildcards, so there was no sense in delaying the PR further by switching to the more-complicated string-basedValidityformat instead which involves boolean logic and a tokenizer/lexer etc.However, the author of WinSCP is now adding support for importing saved sessions from and automatically using the same SSH host CAs as configured in PuTTY. WinSCP only supports the newer
Validityformat, so it's time for this PR which switchestsh puttyconfigto the same.If a
MatchHostsvalue is set in the registry key,tsh puttyconfigwill automatically migrate any entries to theValidityformat, save the key to the registry and then delete theMatchHostsvalue if this was successful.Additionally, Teleport ignores any values from theValiditykey which are inside parentheses and passes them through verbatim to avoid needing to implement a lexer of its own. I suspect it's unlikely that users will manually tinker with the Validity values in keys added bytsh puttyconfig, but I wanted to do to try and account for this anyway.tsh puttyconfigwill error if theValiditykey does not match the managed<hostname> || <hostname> || ...format that it uses. There is now a troubleshooting section added to the docs to help people fix these errors if they encounter them.References:
Validityformat: https://the.earth.li/~sgtatham/putty/0.79/htmldoc/Chapter4.html#config-ssh-cert-valid-expr