Conversation
rosstimothy
force-pushed
the
tross/host_re_name
branch
3 times, most recently
from
5ca1e51 to
cce5716
Compare
rosstimothy
force-pushed
the
tross/host_re_name
branch
2 times, most recently
from
2779014 to
ef388bd
Compare
Prevents any invalid and malicious hostnames, but replacing them with known valid data already associated with the host. This was chosen instead of rejecting to persist the server resource in an attempt to continue providing access to the host in order to remedy the invalid hostname. Any servers that represent a Teleport ssh_service with an invalid hostname will be replaced by the host UUID. Any static OpenSSH servers will have invalid hostnames replaced with the address. This will continue to allow the hosts to be dialable. In order to make these hosts discoverable, the invalid hostname will be set in the "teleport.internal/invalid-hostname" label. Updates gravitational/teleport-private#1676.
rosstimothy
force-pushed
the
tross/host_re_name
branch
from
ef388bd to
67f06d4
Compare
| return trace.Wrap(err) | ||
| } | ||
|
|
||
| host = id.String() |
There was a problem hiding this comment.
Should we prefix these hostnames with something to better identify them as invalid? Do we want these hosts to appear at the top of the list in the UI so that they are more discoverable?
| return false, nil | ||
| } | ||
|
|
||
| if _, err := a.Services.UpsertNode(a.closeCtx, srv); err != nil { |
There was a problem hiding this comment.
This will resurrect a manually deleted openssh node if it happens at the wrong time; seeing as this is intended to only happen once per host, couldn't we use a conditional update?
There was a problem hiding this comment.
Updated to use the new PresenceInternal.UpdateNode in f6c9997.
public-teleport-github-review-bot
Bot
removed request for
bernardjkim,
capnspacehook and
r0mant
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
|
@rosstimothy See the table below for backport results.
|
|
For anyone reading this in future, this also affects hostnames overridden using the teleport:
nodename: invalid_hostnameUsers upgrading to v17 who previously had hostnames that did not match the approved pattern will now see the machine's actual hostname, rather than the now-invalid one set in the config file. This can be validated using |
5 participants
Prevents any invalid and malicious hostnames, but replacing them with known valid data already associated with the host. This was chosen instead of rejecting to persist the server resource in an attempt to continue providing access to the host in order to remedy the invalid hostname.
Any servers that represent a Teleport ssh_service with an invalid hostname will be replaced by the host UUID. Any static OpenSSH servers will have invalid hostnames replaced with the address. This will continue to allow the hosts to be dialable. In order to make these hosts discoverable, the invalid hostname will be set in the "teleport.internal/invalid-hostname" label.
Updates https://github.com/gravitational/teleport-private/issues/1676.
Changelog: Enforce stricter requirements for SSH hostnames. Hostnames will only be allowed if they are less than 257 characters and consist of only alphanumeric characters and the symbols '.' and '-'. Any hostname that violates the new restrictions will be changed, the original hostname will be move to the
teleport.internal/invalid-hostnamelabel for discoverability. Any Teleport agents with an invalid hostname will be replaced with the host UUID. Any Agentless OpenSSH Servers with an invalid hostname will be replaced with the host of the address, if it is valid, or a randomly generated identifier. Any hosts with invalid hostnames should be updated to comply with the new requirements to avoid Teleport renaming them.