Role configuration for default host user shell#46539
Conversation
|
The PR changelog entry failed validation: The changelog entry must not contain a Markdown link or image. |
|
The PR changelog entry failed validation: The changelog entry must not contain a Markdown link or image. |
eriktate
force-pushed
the
eriktate/14252/host-user-shell-config
branch
from
e14dcc3 to
ff3f41a
Compare
|
The PR changelog entry failed validation: The changelog entry must not contain a Markdown link or image. |
eriktate
force-pushed
the
eriktate/14252/host-user-shell-config
branch
from
ff3f41a to
5c73f4c
Compare
|
The PR changelog entry failed validation: The changelog entry must not contain a Markdown link or image. |
eriktate
force-pushed
the
eriktate/14252/host-user-shell-config
branch
from
5c73f4c to
e328e5a
Compare
| // Verify users have the correct shell assigned | ||
| userShells, err := getUserShells("/etc/passwd") | ||
| require.NoError(t, err) |
There was a problem hiding this comment.
Alternatively, we could run echo $SHELL as each user and validate the output matches our expectations.
There was a problem hiding this comment.
Yeah I considered this too 🤔 Would there be any benefits to doing one versus the other? Parsing the file seemed simpler to me than spinning up commands, but I'd be happy to swap for this if it's a more robust test
There was a problem hiding this comment.
I suppose it would also validate that a user with a custom shell provisioned is able to access the target host. I don't think there are any other tests that both set a custom shell and start an SSH session.
There was a problem hiding this comment.
I don't think there are any other tests that both set a custom shell and start an SSH session.
There aren't, but I can take a look at adding one if you think we need the extra coverage. Although that seems like testing the behavior of the host moreso than the behavior of Teleport since how things are handled after updating /etc/passwd is up to the host
eriktate
force-pushed
the
eriktate/14252/host-user-shell-config
branch
from
e328e5a to
9f73f6b
Compare
eriktate
force-pushed
the
eriktate/14252/host-user-shell-config
branch
3 times, most recently
from
30d614d to
4433501
Compare
|
🤖 Vercel preview here: https://docs-35694zgq7-goteleport.vercel.app/docs/ver/preview |
eriktate
force-pushed
the
eriktate/14252/host-user-shell-config
branch
2 times, most recently
from
d5d7db5 to
c46466c
Compare
|
🤖 Vercel preview here: https://docs-1gvcwjcy9-goteleport.vercel.app/docs/ver/preview |
eriktate
force-pushed
the
eriktate/14252/host-user-shell-config
branch
from
c46466c to
78a2290
Compare
|
🤖 Vercel preview here: https://docs-9ndiys2qg-goteleport.vercel.app/docs/ver/preview |
eriktate
force-pushed
the
eriktate/14252/host-user-shell-config
branch
from
78a2290 to
1f0ba8a
Compare
|
🤖 Vercel preview here: https://docs-p7f795keu-goteleport.vercel.app/docs/ver/preview |
eriktate
force-pushed
the
eriktate/14252/host-user-shell-config
branch
from
1f0ba8a to
6d3a54d
Compare
|
🤖 Vercel preview here: https://docs-65nzbwuxz-goteleport.vercel.app/docs/ver/preview |
3 participants
Relates to #14252
This PR adds the
host_user_shellconfiguration to the role spec. Once defined, any newly created host users should have their default shell assigned to reflect the value inhost_user_shell. If a path cannot be resolved, then we log a warning reflecting that and fallback to the default behavior of the host. One thing I'd like some feedback on is how best to handle multiple roles defininghost_user_shell. Right now this PR does the simplest thing and returns the first value forhost_user_shellencountered. I'm not entirely sure how often this will happen in real world scenarios, so I'm not sure if we need to figure out something more robust or if this is good enough for now.changelog: Added a new
create_host_user_default_shellconfiguration under role options that changes the default shell of auto provisioned host users.create_host_user_default_shellcan be set to a shell's absolute path or the name of a shell reachable through the system PATH. This only applies to users created aftercreate_host_user_default_shellhas been assigned. An example can be found in the roles reference: https://goteleport.com/docs/reference/access-controls/roles/#example-role-specification