[v15] Add tsh command to resolve a single host#47867
Merged
rosstimothy merged 1 commit intobranch/v15from Oct 23, 2024
Merged
Conversation
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
github-actions
Bot
added
backport
size/md
tsh
hugoShaka
approved these changes
Oct 23, 2024
GavinFrazar
approved these changes
Oct 23, 2024
`tsh resolve` allows identifying a single host either directly by
hostname, or via custom search/predicate expression from a matched
proxy template. The main use case is to provide a simple command
for users that wish to use `Match exec` in their SSH config. Today,
all matching in SSH config must be done via DNS and requires users
to add some Teleport specific suffix/prefix, or use a wildcard entry
to invoke a tsh proxy command.
For example, the SSH config generated today via `tsh config` is the
following:
```
# Common flags for all local.dev hosts
Host *.cluster-name proxy.example.com
UserKnownHostsFile "/Users/tim/.tsh/known_hosts"
IdentityFile "/Users/tim/.tsh/keys/proxy.example.com/tim"
CertificateFile "/Users/tim/.tsh/keys/proxy.example.com/tim-ssh/cluster-name-cert.pub"
# Flags for all local.dev hosts except the proxy
Host *.cluster-name
Port 3022 !proxy.example.com
ProxyCommand "tsh" proxy ssh --cluster=cluster-name --proxy=proxy.example.com:443 %r@%h:%p
```
This allows connections to the Teleport SSH service without using tsh directly
via `ssh foo.cluster-name`. However, when migrating to Teleport, that requires
the user to alter their existing workflow to include the cluster-name suffix.
To remedy this, users can now augment their SSH config to utilize `Match exec`
instead of globbing on the cluster name suffix with the following:
```
Match exec "tsh resolve -q %h"
ProxyCommand "tsh" proxy ssh --cluster=cluster-name --proxy=proxy.example.com:443 %r@%h:%p
```
By default tsh resolve will output the matching host, if one was
found, but if the `-q` flag provided like in the example above
the output will be silenced. If no matches are found, or multiple
matches are found, `tsh resolve` will exit with a non-zero exit
code as per the `Match exec` requirements. If and only if a single
host is resolved will `tsh resolve` exit with a zero exit code.
There are performance concerns that need to be taken into account
before users adopt this in their SSH config. First, this may cause
`tsh resolve` to be invoked on any SSH request. For example, even
doing git pull/git push may now first require `tsh resolve` to
exit with a non-zero exit code before interact with the git remote.
Additionally, when `tsh resolve` finds a match, any connections to
the node will require _two_ connections to the cluster and _two_
ListUnifiedResourcesRequests to resolve the host since the
invocation of `tsh resolve` and `tsh proxy ssh` or `tbot proxy ssh`
do not share any resources. For the reasons mentioned above, the
SSH configuration generated by `tsh config` was not updated to
include this new command. If users want to opt into this behavior
they must acknowledge the latency concerns by manually editting
the config.
rosstimothy
force-pushed
the
bot/backport-47689-branch/v15
branch
from
dc6a5dc to
a6ee983
Compare
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport #47689 to branch/v15
changelog: Add a
resolvecommand to tsh that may be used as the target for a Match exec condition in an SSH config.