From 51cc9395ecda27942e43451722ef422c10147a93 Mon Sep 17 00:00:00 2001 From: Tim Ross Date: Tue, 10 Sep 2024 15:42:53 -0400 Subject: [PATCH] Allow cluster wide ssh dial timeout to be set in config file Adds a new `auth_service.ssh_dial_timeout` option to the config file. The cluster networking configuration is overridden during Auth initialization if the config file has any networking options present. Only allowing the SSH dial timeout to be set dynamically caused the value to be reset on each Auth restart. --- lib/config/configuration.go | 1 + lib/config/configuration_test.go | 2 ++ lib/config/fileconf.go | 6 +++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/config/configuration.go b/lib/config/configuration.go index 76a6514d02fea..438941a00b61e 100644 --- a/lib/config/configuration.go +++ b/lib/config/configuration.go @@ -986,6 +986,7 @@ func applyAuthConfig(fc *FileConfig, cfg *servicecfg.Config) error { TunnelStrategy: fc.Auth.TunnelStrategy, ProxyPingInterval: fc.Auth.ProxyPingInterval, CaseInsensitiveRouting: fc.Auth.CaseInsensitiveRouting, + SSHDialTimeout: fc.Auth.SSHDialTimeout, }) if err != nil { return trace.Wrap(err) diff --git a/lib/config/configuration_test.go b/lib/config/configuration_test.go index 2560e8e8c5c23..860133ac5fa48 100644 --- a/lib/config/configuration_test.go +++ b/lib/config/configuration_test.go @@ -339,6 +339,7 @@ func TestConfigReading(t *testing.T) { WebIdleTimeout: types.Duration(19 * time.Second), RoutingStrategy: types.RoutingStrategy_MOST_RECENT, ProxyPingInterval: types.Duration(10 * time.Second), + SSHDialTimeout: types.Duration(45 * time.Second), }, SSH: SSH{ Service: Service{ @@ -1550,6 +1551,7 @@ func makeConfigFixture() string { conf.Auth.DisconnectExpiredCert = types.NewBoolOption(true) conf.Auth.RoutingStrategy = types.RoutingStrategy_MOST_RECENT conf.Auth.ProxyPingInterval = types.NewDuration(10 * time.Second) + conf.Auth.SSHDialTimeout = types.NewDuration(45 * time.Second) // ssh service: conf.SSH.EnabledFlag = "true" diff --git a/lib/config/fileconf.go b/lib/config/fileconf.go index 55bc4133a148d..def6277f8e4ad 100644 --- a/lib/config/fileconf.go +++ b/lib/config/fileconf.go @@ -798,6 +798,9 @@ type Auth struct { // CaseInsensitiveRouting causes proxies to use case-insensitive hostname matching. CaseInsensitiveRouting bool `yaml:"case_insensitive_routing,omitempty"` + // SSHDialTimeout is the timeout value that should be used for SSH connections. + SSHDialTimeout types.Duration `yaml:"ssh_dial_timeout,omitempty"` + // LoadAllCAs tells tsh to load the CAs for all clusters when trying // to ssh into a node, instead of just the CA for the current cluster. LoadAllCAs bool `yaml:"load_all_cas,omitempty"` @@ -848,7 +851,8 @@ func (a *Auth) hasCustomNetworkingConfig() bool { a.ProxyListenerMode != empty.ProxyListenerMode || a.RoutingStrategy != empty.RoutingStrategy || a.TunnelStrategy != empty.TunnelStrategy || - a.ProxyPingInterval != empty.ProxyPingInterval + a.ProxyPingInterval != empty.ProxyPingInterval || + a.SSHDialTimeout != empty.SSHDialTimeout } // hasCustomSessionRecording returns true if any of the session recording