Skip to content

split SSH and TLS keys in tsh login#45995

Merged
nklaassen merged 22 commits intomasterfrom
nklaassen/split-client-login
Sep 12, 2024
Merged

split SSH and TLS keys in tsh login#45995
nklaassen merged 22 commits intomasterfrom
nklaassen/split-client-login

Conversation

@nklaassen
Copy link
Copy Markdown
Contributor

@nklaassen nklaassen commented Aug 28, 2024
edited
Loading

This PR splits all client-side generated SSH and TLS keys used in tsh. The end result is that if you set cluster_auth_preference.spec.signature_algorithm_suite to balanced-v1, on tsh login you will get an Ed25519 SSH key and an ECDSA P-256 TLS key, each saved in its own file under ~/.tsh with its matching certificate. Those split keys will then be used as required for all TLS and SSH operations.

If signature_algorithm_suite is unset or legacy, you will continue to get RSA keys. These will still be stored separately in their own files under ~/.tsh, but they are still the same key. Hardware keys will also continue to use a single key with the PEM reference stored in separate files.

The exceptions to the key split are anything that uses an identity file. This includes:

  • tsh login -o <file> [--format file]
  • tctl auth sign --format file
  • tbot identities
  • terraform identities
  • operator identities

These all continue to use a single key for both SSH and TLS, because the identity file format only support storage of a single key. This is backward-compatible, new versions can read old identity files, and old versions can read identity files generated by new versions.

I apologize for the size of this PR. I've been trying to split things up, but at a certain point everything became too entangled with client.KeyRing.PrivateKey. I basically made this PR by splitting that into SSHPrivateKey and TLSPrivateKey and then fixing everything that broke. But I'm not doing anything too interesting in here, almost all changes are client side and just updating everything to pass the right keys around.

Part of RFD 136

changelog: Added support for Ed25519 SSH keys and ECDSA TLS keys in CLI clients

@nklaassen nklaassen mentioned this pull request Aug 29, 2024
Closed
@nklaassen nklaassen marked this pull request as ready for review August 29, 2024 01:02
@github-actions github-actions Bot added database-access Database access related issues and PRs kubernetes-access machine-id size/md tctl tctl - Teleport admin tool tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Aug 29, 2024
@nklaassen nklaassen changed the title [draft] split SSH and TLS keys in tsh login split SSH and TLS keys in tsh login Aug 29, 2024
@nklaassen nklaassen force-pushed the nklaassen/split-client-login branch from 829bd85 to c220459 Compare August 30, 2024 22:22
@gravitational gravitational deleted a comment from github-actions Bot Aug 30, 2024
@gravitational gravitational deleted a comment from github-actions Bot Aug 30, 2024
@nklaassen nklaassen force-pushed the nklaassen/split-ssoLogin branch from cd74d63 to 4c40ee2 Compare September 4, 2024 15:56
@nklaassen nklaassen force-pushed the nklaassen/split-client-login branch from c220459 to 2f52a3c Compare September 4, 2024 16:11
Base automatically changed from nklaassen/split-ssoLogin to master September 4, 2024 19:33
@nklaassen nklaassen force-pushed the nklaassen/split-client-login branch 2 times, most recently from 1f27f95 to d829235 Compare September 6, 2024 21:46
@nklaassen nklaassen mentioned this pull request Sep 6, 2024
Merged
@nklaassen nklaassen changed the base branch from master to nklaassen/cryptosuite-refactor September 6, 2024 21:46
@nklaassen
Copy link
Copy Markdown
Contributor Author

nklaassen commented Sep 6, 2024
edited
Loading

I pulled out #46362 to make this PR slightly smaller.

This is also no longer a draft, but the github email subject still says [draft] since that was in the original title, I'm hoping that leaving this comment will make github reevaluate that and change the email subject edit: apparently not :(

Base automatically changed from nklaassen/cryptosuite-refactor to master September 9, 2024 17:15
@nklaassen nklaassen force-pushed the nklaassen/split-client-login branch from d829235 to c6038e6 Compare September 9, 2024 17:30
@nklaassen
Copy link
Copy Markdown
Contributor Author

nklaassen commented Sep 10, 2024

friendly ping @bernardjkim @greedy52 @tigrato @timothyb89

bernardjkim
bernardjkim approved these changes Sep 10, 2024
View reviewed changes
Comment thread api/utils/keys/privatekey.go Outdated
@nklaassen nklaassen force-pushed the nklaassen/split-client-login branch from 4d5df21 to 175b730 Compare September 11, 2024 20:52
@nklaassen
write out EC SSH keys in OpenSSH format
ee2a4ee
@nklaassen
fix lint
662c27b
@nklaassen
fix keyring comparisons
4689efa
@nklaassen
PrecomputeTestKeys in lib/client
c30fa5c
@nklaassen
parallelize TestNoRelogin subtests
04f2a36
@nklaassen
use ecdsa for self-signed TLS certs
0cabc3e
@nklaassen
remove redundant GetTrustedCerts
5fa105c
@nklaassen
improve latency of precomputeTestKeys
f279b9c 
Instead of waiting for all 25 test keys before returning a single one,
tests can now make use of the first precomputed test key as soon as it's
ready.
In local testing with this change, the first key is ready after ~75ms vs
>350ms on master.
@nklaassen
fix test and lint
a8c6ecf
@nklaassen nklaassen added this pull request to the merge queue Sep 12, 2024
Merged via the queue into master with commit eff0a70 Sep 12, 2024
@nklaassen nklaassen deleted the nklaassen/split-client-login branch September 12, 2024 19:53
@Joerger Joerger mentioned this pull request Sep 19, 2024
Merged
@Tener Tener mentioned this pull request Oct 4, 2024
Merged
@Joerger Joerger mentioned this pull request Apr 25, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tigrato tigrato tigrato approved these changes

@bernardjkim bernardjkim bernardjkim approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

No one assigned

Labels

database-access Database access related issues and PRs kubernetes-access machine-id size/md tctl tctl - Teleport admin tool tsh tsh - Teleport's command line tool for logging into nodes running Teleport.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nklaassen @tigrato @bernardjkim @rosstimothy