From 559de236bd98fa884828c920dbbdce469e85373a Mon Sep 17 00:00:00 2001 From: Tim Ross Date: Tue, 10 Sep 2024 15:42:53 -0400 Subject: [PATCH] Allow cluster wide ssh dial timeout to be set in config file Adds a new `auth_service.ssh_dial_timeout` option to the config file. The cluster networking configuration is overridden during Auth initialization if the config file has any networking options present. Only allowing the SSH dial timeout to be set dynamically caused the value to be reset on each Auth restart. --- lib/config/configuration.go | 1 + lib/config/configuration_test.go | 2 ++ lib/config/fileconf.go | 6 +++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/config/configuration.go b/lib/config/configuration.go index 51e380edd9363..200f305ee3be4 100644 --- a/lib/config/configuration.go +++ b/lib/config/configuration.go @@ -986,6 +986,7 @@ func applyAuthConfig(fc *FileConfig, cfg *servicecfg.Config) error { TunnelStrategy: fc.Auth.TunnelStrategy, ProxyPingInterval: fc.Auth.ProxyPingInterval, CaseInsensitiveRouting: fc.Auth.CaseInsensitiveRouting, + SSHDialTimeout: fc.Auth.SSHDialTimeout, }) if err != nil { return trace.Wrap(err) diff --git a/lib/config/configuration_test.go b/lib/config/configuration_test.go index a0f91565a55c4..ccf1882a1891a 100644 --- a/lib/config/configuration_test.go +++ b/lib/config/configuration_test.go @@ -341,6 +341,7 @@ func TestConfigReading(t *testing.T) { WebIdleTimeout: types.Duration(19 * time.Second), RoutingStrategy: types.RoutingStrategy_MOST_RECENT, ProxyPingInterval: types.Duration(10 * time.Second), + SSHDialTimeout: types.Duration(45 * time.Second), }, SSH: SSH{ Service: Service{ @@ -1552,6 +1553,7 @@ func makeConfigFixture() string { conf.Auth.DisconnectExpiredCert = types.NewBoolOption(true) conf.Auth.RoutingStrategy = types.RoutingStrategy_MOST_RECENT conf.Auth.ProxyPingInterval = types.NewDuration(10 * time.Second) + conf.Auth.SSHDialTimeout = types.NewDuration(45 * time.Second) // ssh service: conf.SSH.EnabledFlag = "true" diff --git a/lib/config/fileconf.go b/lib/config/fileconf.go index e16b72a74eef4..105733ab194b3 100644 --- a/lib/config/fileconf.go +++ b/lib/config/fileconf.go @@ -798,6 +798,9 @@ type Auth struct { // CaseInsensitiveRouting causes proxies to use case-insensitive hostname matching. CaseInsensitiveRouting bool `yaml:"case_insensitive_routing,omitempty"` + // SSHDialTimeout is the timeout value that should be used for SSH connections. + SSHDialTimeout types.Duration `yaml:"ssh_dial_timeout,omitempty"` + // LoadAllCAs tells tsh to load the CAs for all clusters when trying // to ssh into a node, instead of just the CA for the current cluster. LoadAllCAs bool `yaml:"load_all_cas,omitempty"` @@ -848,7 +851,8 @@ func (a *Auth) hasCustomNetworkingConfig() bool { a.ProxyListenerMode != empty.ProxyListenerMode || a.RoutingStrategy != empty.RoutingStrategy || a.TunnelStrategy != empty.TunnelStrategy || - a.ProxyPingInterval != empty.ProxyPingInterval + a.ProxyPingInterval != empty.ProxyPingInterval || + a.SSHDialTimeout != empty.SSHDialTimeout } // hasCustomSessionRecording returns true if any of the session recording