Proxy X11 Forwarding Support #3803
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
just to note that I think the extension is permit-X11-forwarding (uppercase X) and this caught me out! thank you so much for working on this 😄 |
fspmarshall
force-pushed
the
fspmarshall/x11-fwd-proxy
branch
3 times, most recently
from
e2f031a to
5807c8c
Compare
fspmarshall
requested review from
awly,
klizhentas,
russjones and
webvictim
as code owners
awly
reviewed
Jun 15, 2020
russjones
reviewed
Jun 17, 2020
fspmarshall
force-pushed
the
fspmarshall/x11-fwd-proxy
branch
from
5807c8c to
c583418
Compare
awly
reviewed
Jun 23, 2020
| case <-ctx.Done(): | ||
| return | ||
| } | ||
| c.Assert(nch.ChannelType(), Equals, teleport.ChanSession) |
There was a problem hiding this comment.
I believe c.Assert is not thread-safe.
Probably easier to keep as is, but the race detector might complain.
- Role options now include a `permit_x11_forwarding` bool which is set to `false` by default. - Recording proxies now forward X11 requests and channels when when permitted by RBAC. - User certs will now include the `permit-X11-forwarding` extension when permitted by RBAC. - If X11 forwarding is requested for a session a new `x11` audit event is emitted by recording proxies.
fspmarshall
force-pushed
the
fspmarshall/x11-fwd-proxy
branch
from
c583418 to
27ee262
Compare
awly
approved these changes
Jun 23, 2020
$ tsh version
Teleport v7.3.3 git: go1.17.2
$ tsh ssh -X remote-host
ERROR: unknown short flag '-X'How do I use X11 forwarding with |
|
Hi @sjackman you can only use -X with the openssh client (so, using |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support for X11 forwarding to
opensshnodes(WIP):permit-x11-forwardingcert extension.Closes #3401
This PR enables minimal X11 forwarding support for teleport clusters by adding the ability to control the
permit-X11-forwardingcertificate extension via RBAC and giving teleport proxies the ability to correctly handle X11 forwarding requests/channels when in recording mode (X11 forwarding technically already worked when not in recording mode, but wasn't particularly useful withoutpermit-X11-forwardingextension support). In order to leverage X11 forwarding, the user must hold a role with thepermit_x11_forwardingoption enabled:Since this PR only adds support to the proxy,
opensshstill needs to be used for both the client and node. Assumingnode.example.comwere anopensshnode andalicehadpermit_x11_forwarding: true, she could graphically edit the contents ofexample.txtlike so:Which, if the proxy is running in recording mode, would produce an audit event something like this: