Fix tbot SSH with non-multiplexed configuration

lib/tbot/service_identity_output.go

@@ -255,11 +255,10 @@ func renderSSHConfig(
 	)
 	defer span.End()
 
-	proxyAddr, err := proxyPing.proxyWebAddr()
+	proxyAddr, err := proxyPing.proxySSHAddr()
 	if err != nil {
-		return trace.Wrap(err, "determining proxy web addr")
+		return trace.Wrap(err, "determining proxy ssh addr")
 	}
-
 	proxyHost, proxyPort, err := utils.SplitHostPort(proxyAddr)
 	if err != nil {
 		return trace.BadParameter(

lib/tbot/service_identity_output_test.go

@@ -42,7 +42,8 @@ import (
 
 const (
 	// mockProxyAddr is the address of the mock proxy server, used in tests
-	mockProxyAddr = "tele.blackmesa.gov:443"
+	mockProxyAddr    = "tele.blackmesa.gov:443"
+	mockProxySSHAddr = "tele.blackmesa.gov:3023"
 	// mockRemoteClusterName is the remote cluster name used for the mock auth
 	// client
 	mockRemoteClusterName = "tele.aperture.labs"
@@ -163,7 +164,8 @@ func Test_renderSSHConfig(t *testing.T) {
 						Proxy: webclient.ProxySettings{
 							TLSRoutingEnabled: tc.TLSRouting,
 							SSH: webclient.SSHProxySettings{
-								PublicAddr: mockProxyAddr,
+								PublicAddr:    mockProxyAddr,
+								SSHPublicAddr: mockProxySSHAddr,
 							},
 						},
 					},

lib/tbot/service_ssh_multiplexer.go

@@ -273,13 +273,16 @@ func (s *SSHMultiplexerService) setup(ctx context.Context) (
 	if err != nil {
 		return nil, nil, "", nil, trace.Wrap(err)
 	}
-	proxyAddr, err := proxyPing.proxyWebAddr()
+	proxyAddr, err := proxyPing.proxySSHAddr()
 	if err != nil {
-		return nil, nil, "", nil, trace.Wrap(err, "determining proxy web addr")
+		return nil, nil, "", nil, trace.Wrap(err, "determining proxy ssh addr")
 	}
-	proxyHost, _, err = net.SplitHostPort(proxyAddr)
+	proxyHost, _, err = utils.SplitHostPort(proxyAddr)
 	if err != nil {
-		return nil, nil, "", nil, trace.Wrap(err)
+		return nil, nil, "", nil, trace.BadParameter(
+			"proxy %+v has no usable public address: %v",
+			proxyAddr, err,
+		)
 	}
 
 	connUpgradeRequired := false

lib/tbot/tbot.go

@@ -23,6 +23,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"net"
 	"os"
 	"sync"
 	"time"
@@ -892,6 +893,27 @@ func (p *proxyPingResponse) proxyWebAddr() (string, error) {
 	return p.Proxy.SSH.PublicAddr, nil
 }
 
+// proxySSHAddr returns the address to use to connect to the proxy SSH service.
+// Includes potential override via TBOT_USE_PROXY_ADDR.
+func (p *proxyPingResponse) proxySSHAddr() (string, error) {
+	if p.Proxy.TLSRoutingEnabled && shouldUseProxyAddr() {
+		// If using TLS routing, we should use the manually overriden address
+		// for the proxy web port.
+		if p.configuredProxyAddr == "" {
+			return "", trace.BadParameter("TBOT_USE_PROXY_ADDR set but no explicit proxy address configured")
+		}
+		return p.configuredProxyAddr, nil
+	}
+	// SSHProxyHostPort returns the host and port to use to connect to the
+	// proxy's SSH service. If TLS routing is enabled, this will return the
+	// proxy's web address, if not, the proxy SSH listener.
+	host, port, err := p.Proxy.SSHProxyHostPort()
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+	return net.JoinHostPort(host, port), nil
+}
+
 type alpnProxyConnUpgradeRequiredCache struct {
 	botCfg *config.BotConfig
 	log    *slog.Logger

lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/local_cluster_ssh_config.golden

@@ -1,6 +1,6 @@
-# Cluster-specific ssh_config generated by tbot for cluster 'tele.blackmesa.gov' via proxy 'tele.blackmesa.gov:443'
+# Cluster-specific ssh_config generated by tbot for cluster 'tele.blackmesa.gov' via proxy 'tele.blackmesa.gov:3023'
 UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts"
 IdentityFile "/test/dir/key"
 CertificateFile "/test/dir/key-cert.pub"
 Port 3022
-ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p
+ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:3023' --cluster='tele.blackmesa.gov' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p

lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/remote_cluster_ssh_config.golden

@@ -1,6 +1,6 @@
-# Cluster-specific ssh_config generated by tbot for cluster 'tele.aperture.labs' via proxy 'tele.blackmesa.gov:443'
+# Cluster-specific ssh_config generated by tbot for cluster 'tele.aperture.labs' via proxy 'tele.blackmesa.gov:3023'
 UserKnownHostsFile "/test/dir/tele.aperture.labs.known_hosts"
 IdentityFile "/test/dir/key"
 CertificateFile "/test/dir/key-cert.pub"
 Port 3022
-ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.aperture.labs' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p
+ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:3023' --cluster='tele.aperture.labs' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p

lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_alpn_upgrade/ssh_config.golden

@@ -9,7 +9,7 @@ Host *.tele.blackmesa.gov tele.blackmesa.gov
 # Flags for all tele.blackmesa.gov hosts except the proxy
 Host *.tele.blackmesa.gov !tele.blackmesa.gov
     Port 3022
-    ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p
+    ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:3023' --cluster='tele.blackmesa.gov' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p
 # Common flags for all tele.aperture.labs hosts
 Host *.tele.aperture.labs tele.blackmesa.gov
     UserKnownHostsFile "/test/dir/known_hosts"
@@ -19,6 +19,6 @@ Host *.tele.aperture.labs tele.blackmesa.gov
 # Flags for all tele.aperture.labs hosts except the proxy
 Host *.tele.aperture.labs !tele.blackmesa.gov
     Port 3022
-    ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.aperture.labs' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p
+    ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:3023' --cluster='tele.aperture.labs' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p
 
 # End generated Teleport configuration

lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/local_cluster_ssh_config.golden

@@ -1,6 +1,6 @@
-# Cluster-specific ssh_config generated by tbot for cluster 'tele.blackmesa.gov' via proxy 'tele.blackmesa.gov:443'
+# Cluster-specific ssh_config generated by tbot for cluster 'tele.blackmesa.gov' via proxy 'tele.blackmesa.gov:3023'
 UserKnownHostsFile "/test/dir/tele.blackmesa.gov.known_hosts"
 IdentityFile "/test/dir/key"
 CertificateFile "/test/dir/key-cert.pub"
 Port 3022
-ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.blackmesa.gov' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p
+ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:3023' --cluster='tele.blackmesa.gov' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p

lib/tbot/testdata/Test_renderSSHConfig/no_tls_routing,_no_alpn_upgrade/remote_cluster_ssh_config.golden

@@ -1,6 +1,6 @@
-# Cluster-specific ssh_config generated by tbot for cluster 'tele.aperture.labs' via proxy 'tele.blackmesa.gov:443'
+# Cluster-specific ssh_config generated by tbot for cluster 'tele.aperture.labs' via proxy 'tele.blackmesa.gov:3023'
 UserKnownHostsFile "/test/dir/tele.aperture.labs.known_hosts"
 IdentityFile "/test/dir/key"
 CertificateFile "/test/dir/key-cert.pub"
 Port 3022
-ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:443' --cluster='tele.aperture.labs' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p
+ProxyCommand '/path/to/tbot' ssh-proxy-command --destination-dir='/test/dir' --proxy-server='tele.blackmesa.gov:3023' --cluster='tele.aperture.labs' --no-tls-routing --no-connection-upgrade --resume --user=%r --host=%h --port=%p