Skip to content

Machine ID: Generate "includable" ssh_configs#46397

Merged
strideynet merged 8 commits intomasterfrom
strideynet/flexible-ssh-config-output-tbot
Sep 17, 2024
Merged

Machine ID: Generate "includable" ssh_configs#46397
strideynet merged 8 commits intomasterfrom
strideynet/flexible-ssh-config-output-tbot

Conversation

@strideynet
Copy link
Copy Markdown
Contributor

@strideynet strideynet commented Sep 9, 2024
edited
Loading

Closes #46330

Adds a ssh_config and known_host per cluster:

  • example.teleport.sh.ssh_config
  • example.teleport.sh.known_hosts

These do not use the host matcher directive as the current configs do, this means that you are able to specify a host using it's bare hostname e.g "my-machine.foo" and with it's cluster appended hostname e.g "my-machine.foo.example.teleport.sh". This also opens the door to better supporting ProxyTemplates in the near future.

As these do not include the host matcher, it allows the user to define their own ssh_config and include this ssh_config using the Include directive, allowing for more flexible configurations.

➜  teleport git:(strideynet/flexible-ssh-config-output-tbot) ✗ ssh -F ./tbot-out/leaf.tele.ottr.sh.ssh_config noah@grus hostname                  
grus.net.stellar.haus
➜  teleport git:(strideynet/flexible-ssh-config-output-tbot) ✗ ssh -F ./tbot-out/leaf.tele.ottr.sh.ssh_config noah@grus.leaf.tele.ottr.sh hostname
grus.net.stellar.haus

# Cluster-specific ssh_config generated by tbot for cluster 'leaf.tele.ottr.sh' via proxy 'leaf.tele.ottr.sh:443'
UserKnownHostsFile "/Users/noah/code/gravitational/teleport/tbot-out/leaf.tele.ottr.sh.known_hosts"
IdentityFile "/Users/noah/code/gravitational/teleport/tbot-out/key"
CertificateFile "/Users/noah/code/gravitational/teleport/tbot-out/key-cert.pub"
HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com
Port 3022
ProxyCommand '/Users/noah/code/gravitational/teleport/build/tbot' ssh-proxy-command --destination-dir='/Users/noah/code/gravitational/teleport/tbot-out' --proxy-server='leaf.tele.ottr.sh:443' --cluster='leaf.tele.ottr.sh' --tls-routing --connection-upgrade --resume --user=%r --host=%h --port=%p

changelog: Machine ID now generates cluster-specific ssh_config and known_host files which will always direct SSH connections made using them via Teleport.

@strideynet strideynet marked this pull request as ready for review September 10, 2024 10:56
@github-actions github-actions Bot added machine-id size/md tctl tctl - Teleport admin tool labels Sep 10, 2024
timothyb89
timothyb89 approved these changes Sep 17, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@timothyb89 timothyb89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Working well on my local cluster!

Comment thread lib/tbot/service_identity_output.go Outdated
@strideynet strideynet added this pull request to the merge queue Sep 17, 2024
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Sep 17, 2024
@strideynet strideynet added this pull request to the merge queue Sep 17, 2024
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Sep 17, 2024
@strideynet strideynet added this pull request to the merge queue Sep 17, 2024
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Sep 17, 2024
@strideynet strideynet added this pull request to the merge queue Sep 17, 2024
@strideynet strideynet removed this pull request from the merge queue due to a manual request Sep 17, 2024
@strideynet strideynet added this pull request to the merge queue Sep 17, 2024
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Sep 17, 2024
@strideynet strideynet added this pull request to the merge queue Sep 17, 2024
Merged via the queue into master with commit fcd3782 Sep 17, 2024
@strideynet strideynet deleted the strideynet/flexible-ssh-config-output-tbot branch September 17, 2024 17:10
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Sep 17, 2024

@strideynet See the table below for backport results.

Branch Result
branch/v15 Failed
branch/v16 Failed

This was referenced Sep 17, 2024
Merged
Merged
smallinsky pushed a commit that referenced this pull request Sep 20, 2024
@strideynet @smallinsky
Machine ID: Generate "includable" ssh_configs (#46397)
f18591d 
* Hack on single-cluster SSH config

* Update callsite

* More thorough testing and adjusted header

* Switch to warn level message

* Update golden files
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@timothyb89 timothyb89 timothyb89 approved these changes

@ryanclark ryanclark ryanclark approved these changes

Assignees

No one assigned

Labels

machine-id size/md tctl tctl - Teleport admin tool

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Machine ID: Allow ssh_config to be generated to match on any host

3 participants

@strideynet @timothyb89 @ryanclark