diff --git a/lib/config/openssh/openssh.go b/lib/config/openssh/openssh.go index 29132cf33770e..50abe0daadc0c 100644 --- a/lib/config/openssh/openssh.go +++ b/lib/config/openssh/openssh.go @@ -176,3 +176,58 @@ func WriteMuxedSSHConfig(w io.Writer, config *MuxedSSHConfigParameters) error { return nil } + +var clusterSSHConfigTmpl = template.Must(template.New("cluster-ssh-config").Funcs(template.FuncMap{ + "proxyCommandQuote": proxyCommandQuote, +}).Parse( + `# Cluster-specific ssh_config generated by {{ .AppName }} for cluster '{{ .ClusterName }}' via proxy '{{ .ProxyHost }}:{{ .ProxyPort }}' +UserKnownHostsFile "{{ .KnownHostsPath }}" +IdentityFile "{{ .IdentityFilePath }}" +CertificateFile "{{ .CertificateFilePath }}" +Port {{ .Port }} +ProxyCommand {{ proxyCommandQuote .ExecutablePath }} ssh-proxy-command --destination-dir={{ proxyCommandQuote .DestinationDir }} --proxy-server={{ proxyCommandQuote (print .ProxyHost ":" .ProxyPort) }} --cluster={{ proxyCommandQuote .ClusterName }} {{ if .TLSRouting }}--tls-routing{{ else }}--no-tls-routing{{ end }} {{ if .ConnectionUpgrade }}--connection-upgrade{{ else }}--no-connection-upgrade{{ end }} {{ if .Resume }}--resume{{ else }}--no-resume{{ end }} --user=%r --host=%h --port=%p +`)) + +// ClusterSSHConfigParameters is the parameter set for GetClusterSSHConfig. +type ClusterSSHConfigParameters struct { + AppName SSHConfigApps + ClusterName string + KnownHostsPath string + IdentityFilePath string + CertificateFilePath string + ProxyHost string + ProxyPort string + ExecutablePath string + DestinationDir string + Port int + ConnectionUpgrade bool + TLSRouting bool + Insecure bool + FIPS bool + Resume bool +} + +type clusterSSHConfigTmplParams struct { + ClusterSSHConfigParameters +} + +// WriteClusterSSHConfig generate a ssh_config that proxies SSH connections via +// tbot and through to a single Teleport cluster. It performs no matching on +// the hostname. +// +// As it does not use the Host match directive, it is also includable within +// another ssh_config, which allows for more complex and customized +// configurations. +func WriteClusterSSHConfig(sb *strings.Builder, config *ClusterSSHConfigParameters) error { + if config.Port == 0 { + config.Port = defaults.SSHServerListenPort + } + + if err := clusterSSHConfigTmpl.Execute(sb, clusterSSHConfigTmplParams{ + ClusterSSHConfigParameters: *config, + }); err != nil { + return trace.Wrap(err) + } + + return nil +} diff --git a/lib/config/openssh/openssh_test.go b/lib/config/openssh/openssh_test.go index 01f888b5e3b13..73eca420849d3 100644 --- a/lib/config/openssh/openssh_test.go +++ b/lib/config/openssh/openssh_test.go @@ -178,3 +178,66 @@ func TestWriteMuxedSSHConfig(t *testing.T) { }) } } + +func TestWriteClusterSSHConfig(t *testing.T) { + tests := []struct { + name string + sshVersion string + config *ClusterSSHConfigParameters + }{ + { + name: "legacy OpenSSH", + sshVersion: "7.4.0", + config: &ClusterSSHConfigParameters{ + AppName: TbotApp, + ClusterName: "example.teleport.sh", + DestinationDir: "/opt/machine-id", + KnownHostsPath: "/opt/machine-id/example.teleport.sh.known_hosts", + CertificateFilePath: "/opt/machine-id/key-cert.pub", + IdentityFilePath: "/opt/machine-id/key", + ExecutablePath: "/bin/tbot", + ProxyHost: "example.teleport.sh", + ProxyPort: "443", + Port: 1234, + Insecure: true, + FIPS: true, + TLSRouting: true, + ConnectionUpgrade: true, + Resume: true, + }, + }, + { + name: "modern OpenSSH", + sshVersion: "9.0.0", + config: &ClusterSSHConfigParameters{ + AppName: TbotApp, + ClusterName: "example.teleport.sh", + DestinationDir: "/opt/machine-id", + KnownHostsPath: "/opt/machine-id/example.teleport.sh.known_hosts", + CertificateFilePath: "/opt/machine-id/key-cert.pub", + IdentityFilePath: "/opt/machine-id/key", + ExecutablePath: "/bin/tbot", + ProxyHost: "example.teleport.sh", + ProxyPort: "443", + Port: 1234, + Insecure: false, + FIPS: false, + TLSRouting: false, + ConnectionUpgrade: false, + Resume: false, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + sb := &strings.Builder{} + err := WriteClusterSSHConfig(sb, tt.config) + if golden.ShouldSet() { + golden.Set(t, []byte(sb.String())) + } + require.NoError(t, err) + require.Equal(t, string(golden.Get(t)), sb.String()) + }) + } +} diff --git a/lib/config/openssh/testdata/TestWriteClusterSSHConfig/legacy_OpenSSH.golden b/lib/config/openssh/testdata/TestWriteClusterSSHConfig/legacy_OpenSSH.golden new file mode 100644 index 0000000000000..21ded6957b9af --- /dev/null +++ b/lib/config/openssh/testdata/TestWriteClusterSSHConfig/legacy_OpenSSH.golden @@ -0,0 +1,6 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'example.teleport.sh' via proxy 'example.teleport.sh:443' +UserKnownHostsFile "/opt/machine-id/example.teleport.sh.known_hosts" +IdentityFile "/opt/machine-id/key" +CertificateFile "/opt/machine-id/key-cert.pub" +Port 1234 +ProxyCommand '/bin/tbot' ssh-proxy-command --destination-dir='/opt/machine-id' --proxy-server='example.teleport.sh:443' --cluster='example.teleport.sh' --tls-routing --connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/config/openssh/testdata/TestWriteClusterSSHConfig/modern_OpenSSH.golden b/lib/config/openssh/testdata/TestWriteClusterSSHConfig/modern_OpenSSH.golden new file mode 100644 index 0000000000000..ffcbc48535629 --- /dev/null +++ b/lib/config/openssh/testdata/TestWriteClusterSSHConfig/modern_OpenSSH.golden @@ -0,0 +1,6 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'example.teleport.sh' via proxy 'example.teleport.sh:443' +UserKnownHostsFile "/opt/machine-id/example.teleport.sh.known_hosts" +IdentityFile "/opt/machine-id/key" +CertificateFile "/opt/machine-id/key-cert.pub" +Port 1234 +ProxyCommand '/bin/tbot' ssh-proxy-command --destination-dir='/opt/machine-id' --proxy-server='example.teleport.sh:443' --cluster='example.teleport.sh' --no-tls-routing --no-connection-upgrade --no-resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/service_identity_output.go b/lib/tbot/service_identity_output.go index d5ae55855893e..ace9f0a744349 100644 --- a/lib/tbot/service_identity_output.go +++ b/lib/tbot/service_identity_output.go @@ -176,6 +176,7 @@ func (s *IdentityOutputService) generate(ctx context.Context) error { } if err := renderSSHConfig( ctx, + s.log, proxyPing, clusterNames, s.cfg.Destination, @@ -237,6 +238,7 @@ type alpnTester interface { func renderSSHConfig( ctx context.Context, + log *slog.Logger, proxyPing *webclient.PingResponse, clusterNames []string, dest bot.Destination, @@ -261,7 +263,7 @@ func renderSSHConfig( // We'll write known_hosts regardless of Destination type, it's still // useful alongside a manually-written ssh_config. - knownHosts, err := ssh.GenerateKnownHosts( + knownHosts, clusterKnownHosts, err := ssh.GenerateKnownHosts( ctx, certAuthGetter, clusterNames, @@ -332,7 +334,6 @@ func renderSSHConfig( FIPS: botCfg.FIPS, TLSRouting: proxyPing.Proxy.TLSRoutingEnabled, ConnectionUpgrade: connUpgradeRequired, - // Session resumption is enabled by default, this can be // configurable at a later date if we discover reasons for this to // be disabled. @@ -341,6 +342,53 @@ func renderSSHConfig( return trace.Wrap(err) } + // Generate the per cluster files + for _, clusterName := range clusterNames { + sshConfigName := fmt.Sprintf("%s.%s", clusterName, ssh.ConfigName) + knownHostsName := fmt.Sprintf("%s.%s", clusterName, ssh.KnownHostsName) + knownHostsPath := filepath.Join(absDestPath, knownHostsName) + + sb := &strings.Builder{} + if err := openssh.WriteClusterSSHConfig(sb, &openssh.ClusterSSHConfigParameters{ + AppName: openssh.TbotApp, + ClusterName: clusterName, + KnownHostsPath: knownHostsPath, + IdentityFilePath: identityFilePath, + CertificateFilePath: certificateFilePath, + ProxyHost: proxyHost, + ProxyPort: proxyPort, + ExecutablePath: executablePath, + DestinationDir: absDestPath, + + Insecure: botCfg.Insecure, + FIPS: botCfg.FIPS, + TLSRouting: proxyPing.Proxy.TLSRoutingEnabled, + ConnectionUpgrade: connUpgradeRequired, + // Session resumption is enabled by default, this can be + // configurable at a later date if we discover reasons for this to + // be disabled. + Resume: true, + }); err != nil { + return trace.Wrap(err) + } + if err := destDirectory.Write(ctx, sshConfigName, []byte(sb.String())); err != nil { + return trace.Wrap(err) + } + + knownHosts, ok := clusterKnownHosts[clusterName] + if !ok { + log.WarnContext( + ctx, + "No generated known_hosts for cluster, will skip", + "cluster", clusterName, + ) + continue + } + if err := destDirectory.Write(ctx, knownHostsName, []byte(knownHosts)); err != nil { + return trace.Wrap(err) + } + } + if err := destDirectory.Write(ctx, ssh.ConfigName, []byte(sshConfigBuilder.String())); err != nil { return trace.Wrap(err) } diff --git a/lib/tbot/service_identity_output_test.go b/lib/tbot/service_identity_output_test.go index 5bbfd4cbfd931..1cfbc3dcb91f2 100644 --- a/lib/tbot/service_identity_output_test.go +++ b/lib/tbot/service_identity_output_test.go @@ -21,6 +21,7 @@ package tbot import ( "bytes" "context" + "fmt" "os" "path/filepath" "slices" @@ -35,6 +36,7 @@ import ( "github.com/gravitational/teleport/lib/tbot/botfs" "github.com/gravitational/teleport/lib/tbot/config" "github.com/gravitational/teleport/lib/tbot/ssh" + "github.com/gravitational/teleport/lib/utils" "github.com/gravitational/teleport/lib/utils/golden" ) @@ -154,6 +156,7 @@ func Test_renderSSHConfig(t *testing.T) { err := renderSSHConfig( context.Background(), + utils.NewSlogLoggerForTests(), &webclient.PingResponse{ ClusterName: mockClusterName, Proxy: webclient.ProxySettings{ @@ -197,6 +200,35 @@ func Test_renderSSHConfig(t *testing.T) { require.Equal( t, string(golden.GetNamed(t, "ssh_config")), string(sshConfigBytes), ) + + for clusterType, clusterName := range map[string]string{ + "local": mockClusterName, + "remote": mockRemoteClusterName, + } { + clusterKnownHostBytes, err := os.ReadFile( + filepath.Join(dir, fmt.Sprintf("%s.%s", clusterName, ssh.KnownHostsName)), + ) + require.NoError(t, err) + clusterKnownHostBytes = replaceTestDir(clusterKnownHostBytes) + clusterSSHConfigBytes, err := os.ReadFile( + filepath.Join(dir, fmt.Sprintf("%s.%s", clusterName, ssh.ConfigName)), + ) + require.NoError(t, err) + clusterSSHConfigBytes = replaceTestDir(clusterSSHConfigBytes) + + configGolden := fmt.Sprintf("%s_cluster_ssh_config", clusterType) + knownHostsGolden := fmt.Sprintf("%s_cluster_known_hosts", clusterType) + if golden.ShouldSet() { + golden.SetNamed(t, knownHostsGolden, clusterKnownHostBytes) + golden.SetNamed(t, configGolden, clusterSSHConfigBytes) + } + require.Equal( + t, string(golden.GetNamed(t, knownHostsGolden)), string(clusterKnownHostBytes), + ) + require.Equal( + t, string(golden.GetNamed(t, configGolden)), string(clusterSSHConfigBytes), + ) + } }) } } diff --git a/lib/tbot/service_ssh_multiplexer.go b/lib/tbot/service_ssh_multiplexer.go index 4cbfdaf34ef52..1817ec0582252 100644 --- a/lib/tbot/service_ssh_multiplexer.go +++ b/lib/tbot/service_ssh_multiplexer.go @@ -158,7 +158,7 @@ func (s *SSHMultiplexerService) writeArtifacts( } // Generate known hosts - knownHosts, err := ssh.GenerateKnownHosts( + knownHosts, _, err := ssh.GenerateKnownHosts( ctx, s.botAuthClient, clusterNames, diff --git a/lib/tbot/ssh/ssh.go b/lib/tbot/ssh/ssh.go index 94d181097f74d..a36bcc2cfaa5c 100644 --- a/lib/tbot/ssh/ssh.go +++ b/lib/tbot/ssh/ssh.go @@ -48,12 +48,17 @@ type certAuthorityGetter interface { // GenerateKnownHosts generates a known_hosts file for the provided cluster // names and proxy hosts. +// +// It produces: +// - A main known_hosts file that includes all the clusters, with each +// cluster's CA limited to the wildcard of the cluster's domain name. +// - A known_hosts file per cluster that will match any hostname. func GenerateKnownHosts( ctx context.Context, bot certAuthorityGetter, clusterNames []string, proxyHosts string, -) (string, error) { +) (string, map[string]string, error) { certAuthorities := make([]types.CertAuthority, 0, len(clusterNames)) for _, cn := range clusterNames { ca, err := bot.GetCertAuthority(ctx, types.CertAuthID{ @@ -61,26 +66,41 @@ func GenerateKnownHosts( DomainName: cn, }, false) if err != nil { - return "", trace.Wrap(err) + return "", nil, trace.Wrap(err) } certAuthorities = append(certAuthorities, ca) } + perCluster := make(map[string]string) var sb strings.Builder for _, auth := range authclient.AuthoritiesToTrustedCerts(certAuthorities) { pubKeys, err := auth.SSHCertPublicKeys() if err != nil { - return "", trace.Wrap(err) + return "", nil, trace.Wrap(err) } + var perClusterSB strings.Builder + fmt.Fprintf( + &perClusterSB, + "# Cluster specific known_hosts generated for cluster '%s'\n", + auth.ClusterName, + ) for _, pubKey := range pubKeys { bytes := ssh.MarshalAuthorizedKey(pubKey) fmt.Fprintf(&sb, "@cert-authority %s,%s,*.%s %s type=host\n", - proxyHosts, auth.ClusterName, auth.ClusterName, strings.TrimSpace(string(bytes)), + proxyHosts, + auth.ClusterName, + auth.ClusterName, + strings.TrimSpace(string(bytes)), + ) + fmt.Fprintf(&perClusterSB, + "@cert-authority * %s type=host\n", + strings.TrimSpace(string(bytes)), ) } + perCluster[auth.ClusterName] = perClusterSB.String() } - return sb.String(), nil + return sb.String(), perCluster, nil } diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/cluster_known_hosts.golden new file mode 100644 index 0000000000000..a9d2eaf597f37 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster-specific known_hosts for tele.blackmesa.gov +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/cluster_ssh_config.golden new file mode 100644 index 0000000000000..9e8b3d6ab5dba --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/cluster_ssh_config.golden @@ -0,0 +1,8 @@ +# Begin generated Teleport configuration for cluster tele.blackmesa.gov with proxy tele.blackmesa.gov by tbot +UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p +# End generated Teleport configuration diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/local_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/local_cluster_known_hosts.golden new file mode 100644 index 0000000000000..df2500bab9455 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/local_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.blackmesa.gov' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/local_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/local_cluster_ssh_config.golden new file mode 100644 index 0000000000000..158dfa74355d6 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/local_cluster_ssh_config.golden @@ -0,0 +1,7 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.blackmesa.gov' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/remote_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/remote_cluster_known_hosts.golden new file mode 100644 index 0000000000000..c997734d025da --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/remote_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.aperture.labs' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/remote_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/remote_cluster_ssh_config.golden new file mode 100644 index 0000000000000..b8c0730cc6dfc --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH/remote_cluster_ssh_config.golden @@ -0,0 +1,7 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.aperture.labs' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.aperture.labs.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.aperture.labs' --tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/cluster_known_hosts.golden new file mode 100644 index 0000000000000..a9d2eaf597f37 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster-specific known_hosts for tele.blackmesa.gov +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/cluster_ssh_config.golden new file mode 100644 index 0000000000000..831eceaa493a8 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/cluster_ssh_config.golden @@ -0,0 +1,8 @@ +# Begin generated Teleport configuration for cluster tele.blackmesa.gov with proxy tele.blackmesa.gov by tbot +UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --tls-routing --connection-upgrade --resume --user=%r --host=%h --port=%p +# End generated Teleport configuration diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/local_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/local_cluster_known_hosts.golden new file mode 100644 index 0000000000000..df2500bab9455 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/local_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.blackmesa.gov' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/local_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/local_cluster_ssh_config.golden new file mode 100644 index 0000000000000..d449cd75ceaba --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/local_cluster_ssh_config.golden @@ -0,0 +1,7 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.blackmesa.gov' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --tls-routing --connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/remote_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/remote_cluster_known_hosts.golden new file mode 100644 index 0000000000000..c997734d025da --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/remote_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.aperture.labs' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/remote_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/remote_cluster_ssh_config.golden new file mode 100644 index 0000000000000..72cf096834fce --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/latest_OpenSSH_with_alpn_upgrade/remote_cluster_ssh_config.golden @@ -0,0 +1,7 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.aperture.labs' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.aperture.labs.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.aperture.labs' --tls-routing --connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/cluster_known_hosts.golden new file mode 100644 index 0000000000000..a9d2eaf597f37 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster-specific known_hosts for tele.blackmesa.gov +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/cluster_ssh_config.golden new file mode 100644 index 0000000000000..58b9bb728996f --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/cluster_ssh_config.golden @@ -0,0 +1,8 @@ +# Begin generated Teleport configuration for cluster tele.blackmesa.gov with proxy tele.blackmesa.gov by tbot +UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +HostKeyAlgorithms ssh-rsa-cert-v01@openssh.com +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p +# End generated Teleport configuration diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/local_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/local_cluster_known_hosts.golden new file mode 100644 index 0000000000000..df2500bab9455 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/local_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.blackmesa.gov' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/local_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/local_cluster_ssh_config.golden new file mode 100644 index 0000000000000..5d565135ba694 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/local_cluster_ssh_config.golden @@ -0,0 +1,6 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.blackmesa.gov' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/remote_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/remote_cluster_known_hosts.golden new file mode 100644 index 0000000000000..c997734d025da --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/remote_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.aperture.labs' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/remote_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/remote_cluster_ssh_config.golden new file mode 100644 index 0000000000000..b0e708ee69109 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/remote_cluster_ssh_config.golden @@ -0,0 +1,6 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.aperture.labs' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.aperture.labs.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.aperture.labs' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/cluster_known_hosts.golden new file mode 100644 index 0000000000000..a9d2eaf597f37 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster-specific known_hosts for tele.blackmesa.gov +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/cluster_ssh_config.golden new file mode 100644 index 0000000000000..534ab5b78e7e6 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/cluster_ssh_config.golden @@ -0,0 +1,8 @@ +# Begin generated Teleport configuration for cluster tele.blackmesa.gov with proxy tele.blackmesa.gov by tbot +UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +HostKeyAlgorithms rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p +# End generated Teleport configuration diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/local_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/local_cluster_known_hosts.golden new file mode 100644 index 0000000000000..df2500bab9455 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/local_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.blackmesa.gov' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/local_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/local_cluster_ssh_config.golden new file mode 100644 index 0000000000000..5d565135ba694 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/local_cluster_ssh_config.golden @@ -0,0 +1,6 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.blackmesa.gov' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/remote_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/remote_cluster_known_hosts.golden new file mode 100644 index 0000000000000..c997734d025da --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/remote_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.aperture.labs' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/remote_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/remote_cluster_ssh_config.golden new file mode 100644 index 0000000000000..b0e708ee69109 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/remote_cluster_ssh_config.golden @@ -0,0 +1,6 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.aperture.labs' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.aperture.labs.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.aperture.labs' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/local_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/local_cluster_known_hosts.golden new file mode 100644 index 0000000000000..df2500bab9455 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/local_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.blackmesa.gov' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/local_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/local_cluster_ssh_config.golden new file mode 100644 index 0000000000000..2059c0ba137ce --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/local_cluster_ssh_config.golden @@ -0,0 +1,6 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.blackmesa.gov' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --tls-routing --connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/remote_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/remote_cluster_known_hosts.golden new file mode 100644 index 0000000000000..c997734d025da --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/remote_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.aperture.labs' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/remote_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/remote_cluster_ssh_config.golden new file mode 100644 index 0000000000000..2bc14e26fd2b8 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_alpn_upgrade/remote_cluster_ssh_config.golden @@ -0,0 +1,6 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.aperture.labs' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.aperture.labs.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.aperture.labs' --tls-routing --connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/local_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/local_cluster_known_hosts.golden new file mode 100644 index 0000000000000..df2500bab9455 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/local_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.blackmesa.gov' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/local_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/local_cluster_ssh_config.golden new file mode 100644 index 0000000000000..543636a4b3233 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/local_cluster_ssh_config.golden @@ -0,0 +1,6 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.blackmesa.gov' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/remote_cluster_known_hosts.golden b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/remote_cluster_known_hosts.golden new file mode 100644 index 0000000000000..c997734d025da --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/remote_cluster_known_hosts.golden @@ -0,0 +1,3 @@ +# Cluster specific known_hosts generated for cluster 'tele.aperture.labs' +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host +@cert-authority * ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8kYdyZA1ZSNjZ4pqybDXvWplHQHkU6fPL+cAYHUkAT5CiQV4GOjwaSTcvZNK5U2fQ0jm6jknCnsZi1t9JujCjXUT3bYHCnSwWhXN55QzIu530Q/MeXz5W8TxYRrWULgPhqqtq8B9N554+s40higG21fmhhdDtpmQzw3vJLspY05mnL1+fW+RIKkM4rb150sdZXKINxfNQvERteE8WX0vL2yG4RuqJzYtGCDEGeHd+HLne7xfmqPxun7bUYaxAlplhm1z2J41hqaj8pBwDSEV9SBOZXvh6FjS9nvJCT7Z1bbZwWrAO/7E2ac0eV+5iEc0J+TyufO3F9uod+J+AICtB type=host diff --git a/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/remote_cluster_ssh_config.golden b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/remote_cluster_ssh_config.golden new file mode 100644 index 0000000000000..fb295574749d5 --- /dev/null +++ b/lib/tbot/testdata/Test_renderSSHConfig/tls_routing,_no_alpn_upgrade/remote_cluster_ssh_config.golden @@ -0,0 +1,6 @@ +# Cluster-specific ssh_config generated by tbot for cluster 'tele.aperture.labs' via proxy 'tele.blackmesa.gov:443' +UserKnownHostsFile "/test/dir/tele.aperture.labs.known_hosts" +IdentityFile "/test/dir/key" +CertificateFile "/test/dir/key-cert.pub" +Port 3022 +ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.aperture.labs' --tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p diff --git a/tool/tctl/common/terraform_command.go b/tool/tctl/common/terraform_command.go index 798c4de0b9997..ad23d43727cfd 100644 --- a/tool/tctl/common/terraform_command.go +++ b/tool/tctl/common/terraform_command.go @@ -350,7 +350,7 @@ func (c *TerraformCommand) useBotToObtainIdentity(ctx context.Context, addr util if err != nil { return nil, nil, trace.Wrap(err, "retrieving cluster name") } - knownHosts, err := ssh.GenerateKnownHosts(ctx, clt, []string{clusterName.GetClusterName()}, addr.Host()) + knownHosts, _, err := ssh.GenerateKnownHosts(ctx, clt, []string{clusterName.GetClusterName()}, addr.Host()) if err != nil { return nil, nil, trace.Wrap(err, "retrieving SSH Host CA") }