feat: Hardware Key Agent - Enrich the PEM encoded hardware private key file#53675
Merged
feat: Hardware Key Agent - Enrich the PEM encoded hardware private key file#53675
Conversation
Joerger
force-pushed
the
joerger/hardware-key-service-reduced
branch
from
4729e97 to
a986b49
Compare
Joerger
force-pushed
the
joerger/enrich-hardware-key-ref
branch
from
13b8a60 to
2e84db7
Compare
Joerger
added
the
no-changelog
Joerger
force-pushed
the
joerger/enrich-hardware-key-ref
branch
2 times, most recently
from
34b2917 to
53a74a9
Compare
Joerger
changed the title
Joerger
force-pushed
the
joerger/hardware-key-service-reduced
branch
from
6ce5204 to
5846f51
Compare
espadolini
reviewed
Apr 7, 2025
| // Sign performs a cryptographic signature using the specified hardware | ||
| // private key and provided signature parameters. | ||
| Sign(ctx context.Context, ref *PrivateKeyRef, rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) | ||
| // TODO(Joerger): DELETE IN v19.0.0 |
Contributor
There was a problem hiding this comment.
Are you sure we can delete the fallback in v19? What will be the fix for not having that data in v19?
Contributor
Author
There was a problem hiding this comment.
As long as the client login was with a v18+ tsh, it'll have the data. If they have a v17- login for some reason, they can just re-login.
Comment on lines
+105
to
+115
| // If the public key is missing, this is likely an old login key with only | ||
| // the serial number and slot. Fetch missing data from the hardware key. | ||
| // This data will be saved to the login key on next login | ||
| // TODO(Joerger): DELETE IN v19.0.0 | ||
| if ref.PublicKey == nil { | ||
| if err := s.GetMissingKeyRefDetails(ref); err != nil { | ||
| return nil, trace.Wrap(err) | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
Why isn't this part of NewPrivateKey?
Contributor
Author
There was a problem hiding this comment.
This is part of #53674 ^
In the context of NewPrivateKey, we already have the full key ref, and it will get encoded into the key PEM file.
ref := &hardwarekey.PrivateKeyRef{
SerialNumber: ykPriv.serialNumber,
SlotKey: hardwarekey.PIVSlotKey(ykPriv.pivSlot.Key),
PublicKey: ykPriv.Public(),
Policy: hardwarekey.PromptPolicy{
TouchRequired: ykPriv.attestation.TouchPolicy != piv.TouchPolicyNever,
PINRequired: ykPriv.attestation.PINPolicy != piv.PINPolicyNever,
},
AttestationStatement: &hardwarekey.AttestationStatement{
AttestationStatement: &attestationv1.AttestationStatement_YubikeyAttestationStatement{
YubikeyAttestationStatement: &attestationv1.YubiKeyAttestationStatement{
SlotCert: ykPriv.slotCert.Raw,
AttestationCert: ykPriv.attestationCert.Raw,
},
},
},
}
Getting missing key ref info is only necessary when we are parsing an old login key (v17-) which did not encode the key ref info into the PEM file.
Contributor
There was a problem hiding this comment.
Could you document if it's ever legal to create a PrivateKeyRef or a PrivateKey without a public key, and thus if code using those can actually rely on the public key being there?
Contributor
There was a problem hiding this comment.
(my vote is that a valid PrivateKeyRef should have a public key and it's a bug to create one without the public key except to immediately call GetMissingKeyRefDetails)
Contributor
Author
There was a problem hiding this comment.
After e2054fc getting the keyRef is a bit more consistent with y.getKeyRef, so we could also validate it there.
Joerger
force-pushed
the
joerger/hardware-key-service-reduced
branch
5 times, most recently
from
ae0418b to
c19bf87
Compare
Joerger
force-pushed
the
joerger/enrich-hardware-key-ref
branch
2 times, most recently
from
2d0aa69 to
a8f2a54
Compare
Joerger
force-pushed
the
joerger/hardware-key-service-reduced
branch
from
c19bf87 to
4a82d3c
Compare
Joerger
force-pushed
the
joerger/enrich-hardware-key-ref
branch
from
a8f2a54 to
8ef5e57
Compare
Joerger
force-pushed
the
joerger/enrich-hardware-key-ref
branch
from
8ef5e57 to
5fff33f
Compare
espadolini
approved these changes
Apr 9, 2025
Comment on lines
+105
to
+115
| // If the public key is missing, this is likely an old login key with only | ||
| // the serial number and slot. Fetch missing data from the hardware key. | ||
| // This data will be saved to the login key on next login | ||
| // TODO(Joerger): DELETE IN v19.0.0 | ||
| if ref.PublicKey == nil { | ||
| if err := s.GetMissingKeyRefDetails(ref); err != nil { | ||
| return nil, trace.Wrap(err) | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
Could you document if it's ever legal to create a PrivateKeyRef or a PrivateKey without a public key, and thus if code using those can actually rely on the public key being there?
Comment on lines
+105
to
+115
| // If the public key is missing, this is likely an old login key with only | ||
| // the serial number and slot. Fetch missing data from the hardware key. | ||
| // This data will be saved to the login key on next login | ||
| // TODO(Joerger): DELETE IN v19.0.0 | ||
| if ref.PublicKey == nil { | ||
| if err := s.GetMissingKeyRefDetails(ref); err != nil { | ||
| return nil, trace.Wrap(err) | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
(my vote is that a valid PrivateKeyRef should have a public key and it's a bug to create one without the public key except to immediately call GetMissingKeyRefDetails)
Joerger
force-pushed
the
joerger/enrich-hardware-key-ref
branch
2 times, most recently
from
529e280 to
0e93eca
Compare
Joerger
force-pushed
the
joerger/enrich-hardware-key-ref
branch
from
0e93eca to
9a18f8f
Compare
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
Joerger
added a commit
that referenced
this pull request
Apr 21, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 21, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 24, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 25, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 25, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 25, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 25, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 25, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 28, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 28, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 28, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
Joerger
added a commit
that referenced
this pull request
Apr 28, 2025
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Apr 29, 2025
* feat: Hardware Key Agent - Add `api/utils/keys/hardwarekey` package (#53671) * Move hardware key files into new hardwarekey package. * Tidy up PIVSlot logic and remove its piv-go dependency. * Add godoc comments to cliPrompt methods; Update cliprompt.go license year. * Add godocs. * feat: Hardware Key Agent - Add `hardwarekey.Service` interface with adapted PIV implementation (#53674) * Add hardware key service interface; Add mock service for tests. * Add piv implementation of hardware key service. * Remove old yubikey parsing logic in favor of hardwarekey.PrivateKeyRef. * Remove HardwareSigner in favor of hardwarekey.PrivateKey. * Add test; Cleanup comment; Don't require pin/touch prompts in tests with MockHarwdareKeyService by default. * Fix tests. * Add TODOs. * Use unhashed digest for WarmupHardwareKey. * Address comments. * Fix race condition in test service. * Address comments. * feat: Hardware Key Agent - Add `api/harwdarekey/piv` package (#53677) * Remove YubiKeyPrivateKey * Remove keys package dependencies from PIV implementation. * Move PIV implementation into new piv package. * Move newPrivateKey into YubiKeyService.NewPrivateKey. * * Clean up separation of concerns between YubiKey and YubiKeyService * Replace hardwarekey.PrivateKey cache with YubiKey cache for proper support for multiple clusters or yubikeys * Add YubiKey version field for use in version specific signature edge cases * Change sharedPIVConnection connection from an embedded field. * Address comments. * Add getKeyRef helper method. * feat: Hardware Key Agent - Enrich the PEM encoded hardware private key file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * feat: Hardware Key Agent - set hardware key service in client store (#53563) * Replace prompt in keystore with hardware key service in client store. * Add client StoreConfig and StoreConfigOpt. * Add client store and key store tests. * Provide nil service for ProfileStatus's AppsForCluster and DatabasesForCluster methods. * Address comments. * Fix test. * Fix test with cmp.Diff. * feat: Hardware Key Agent - Propagate contextual key info from key store to hardware key prompts (#53703) * Propagate contextual key info from key store through to hardware key prompts. * Remove HardwareKeyPromptConstructor. * Cleanup; add tests. * feat: Hardware Key Agent - consolidate globally shared PIV service variables (#53974) * Consolidate process-wide shared prompt mutex and yubikey connections into a shared YubiKeyService, which will also share the prompt. * Fix interactive piv service tests. * Fix wording on comment. * Move RemoveProfile and ListProfileNames into ProfileStore. (#53781) * feat: Hardware Key PIN caching (#53976) * Add PinCachingPrompt. * Add PINCacheTimeout to auth preference proto message. * Report PIVPINCacheTimeout through ping; Store PIVPINCacheTimeout in profile. * Set PIV pin cache timeout for tsh and teleterm. * Add SetPrompt and GetPrompt to hardware key service interface. * Cleanup; Add test. * Address comments. * Rename to PINCacheTTL. * Apply suggestions. * Fix lint. * Simplify randPIN for test. * Use math/rand/v2. * Update terraform docs. * Revert pin caching change for connect to fix race condition. (#54140) * feat: Hardware Key Agent (#54026) * Add HardwareKeyAgent proto service. * Add hardware key agent client and server implementation. * Add tsh piv agent command. * Use hardware key agent service when available. * * Add config option to Teleport connect to start the hardware key agent server * Add flag to tsh daemon command to start the hardware key agent server * Fix hardware key agent client connection for Windows. * Add hardware key agent service; Add tests. * Minor cleanup. * Move hardware key agent proto to /api. * * Restructure packages based on dependencies. * Add hardware key agent test coverage for RSA, ECDSA, and ED25519 keys. * Add PIV test coverage for RSA keys. * Fix lint. * Fix lint; Fix test. * Address comments. * Address comments. * Fix merge conflict. * feat: Hardware Key Agent - require users to configure certificate (#54118) * * Hardware key agent checks whether a key is configured for Teleport clients before performing a signature. * Add detailed error message and docs for configuring PIV slot certificate. * Add additional checks for mismatched public key on PIV slot, which can occur when generating a new key on a PIV slot with an active login session. * Update api/utils/keys/piv/yubikey.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Apply suggestions from code review Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * Remove MaxUint32 call to fix builds on 32-bit systems. (#54125) * feat: Hardware Key Agent - command hint (#54090) * Supply command for context on hardware key prompt. * * Include command in Teleport Connect hardware key prompts, excluding tshd commands * Fix proxy host context passed to Teleport connect hardware key prompts * Only use direct service for `tsh login` to avoid jumping between clients * Add new line before command. * Fix story. * Address comments. * Trim forward slash for windows. * Change proxy_host to proxy_hostname; Update comment. * feat: Hardware Key Agent w/ PIN caching - fix cross-cluster support (#54144) * Style hardware key prompt with command in Connect (#54258) * Style hardware key prompt with command in Connect. * Move `CliCommand.tsx` to `components` * Extend stories with a command * Use `CliCommand` component, improve spacing * Wrap command in the dialog * End sentences with a dot * Add a gap between `CliCommand` and errors in `OnlineDocumentGateway` --------- Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com> * feat: Hardware Key Agent - fix socket replacement on Windows (#54126) * Prevent windows from trying to reuse the addr and getting a bind error. * Replace unresponsive windows unix sockets. * Explicitly check for error message instead of os.Stat. * Move windowsBindErrMessage. * Add cross-platform ErrAddrInUse constant. * Move error constants to hardwarekey package. * feat: Hardware Key Agent - initialize hardware key service at start of `tsh daemon` (#54226) * * Initialize shared hardware key service and client store for tshd * Replace CustomHardwareKeyPrompt with SetPrompt * Add lazy loaded tshd event service client and use it to initialize hardware key prompt early. * Address comments; Set TshdEventsClient in daemon service. * Fix test. * Fix potential race condition on global yubikey service prompt. * Add test. * Require ClientStore in `client.Config` (#54227) * Invert config.EnableEscapeSequences into config.DisableEscapeSequences so that the default value (false) results in the desired default behavior. * * Replace MakeDefaultClientConfig with CheckAndSetDefaults * Require ClientStore to be provided in config * Remove CustomHardwareKeyPrompt from config * Set client store in tests that were missing it. * Ensure tsh only initializes client store once. * Client config uses its own client store. * Replace uses of KeysDir with ClientStore. * Remove unused home apth for vnet process. * Remove unnecessary profile re-load and helper function. * Replace sync.Once with atomic; add get/setClientStore. * Fix uncaught merge conflict. * Fix test; Add comment for why we initialize the client store atomically. * Return error when using MemKeyStore for tsh puttyconfig. * Fix merge conflict. * feat: PIV PIN Caching - add file config option (#54328) * Add pin_cache_ttl as file config option. * Add test. * Update lib/config/fileconf.go Co-authored-by: Bernard Kim <bernard@goteleport.com> --------- Co-authored-by: Bernard Kim <bernard@goteleport.com> * Restore namespace in client config. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com> Co-authored-by: Bernard Kim <bernard@goteleport.com>
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Apr 29, 2025
* feat: Hardware Key Agent - Add `api/utils/keys/hardwarekey` package (#53671) * Move hardware key files into new hardwarekey package. * Tidy up PIVSlot logic and remove its piv-go dependency. * Add godoc comments to cliPrompt methods; Update cliprompt.go license year. * Add godocs. * feat: Hardware Key Agent - Add `hardwarekey.Service` interface with adapted PIV implementation (#53674) * Add hardware key service interface; Add mock service for tests. * Add piv implementation of hardware key service. * Remove old yubikey parsing logic in favor of hardwarekey.PrivateKeyRef. * Remove HardwareSigner in favor of hardwarekey.PrivateKey. * Add test; Cleanup comment; Don't require pin/touch prompts in tests with MockHarwdareKeyService by default. * Fix tests. * Add TODOs. * Use unhashed digest for WarmupHardwareKey. * Address comments. * Fix race condition in test service. * Address comments. * feat: Hardware Key Agent - Add `api/harwdarekey/piv` package (#53677) * Remove YubiKeyPrivateKey * Remove keys package dependencies from PIV implementation. * Move PIV implementation into new piv package. * Move newPrivateKey into YubiKeyService.NewPrivateKey. * * Clean up separation of concerns between YubiKey and YubiKeyService * Replace hardwarekey.PrivateKey cache with YubiKey cache for proper support for multiple clusters or yubikeys * Add YubiKey version field for use in version specific signature edge cases * Change sharedPIVConnection connection from an embedded field. * Address comments. * Add getKeyRef helper method. * Rename NewSoftwarePrivateKey to NewPrivateKey (#53598) * feat: Hardware Key Agent - Enrich the PEM encoded hardware private key file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * feat: Hardware Key Agent - set hardware key service in client store (#53563) * Replace prompt in keystore with hardware key service in client store. * Add client StoreConfig and StoreConfigOpt. * Add client store and key store tests. * Provide nil service for ProfileStatus's AppsForCluster and DatabasesForCluster methods. * Address comments. * Fix test. * Fix test with cmp.Diff. * feat: Hardware Key Agent - Propagate contextual key info from key store to hardware key prompts (#53703) * Propagate contextual key info from key store through to hardware key prompts. * Remove HardwareKeyPromptConstructor. * Cleanup; add tests. * feat: Hardware Key Agent - consolidate globally shared PIV service variables (#53974) * Consolidate process-wide shared prompt mutex and yubikey connections into a shared YubiKeyService, which will also share the prompt. * Fix interactive piv service tests. * Fix wording on comment. * Move RemoveProfile and ListProfileNames into ProfileStore. (#53781) * feat: Hardware Key PIN caching (#53976) * Add PinCachingPrompt. * Add PINCacheTimeout to auth preference proto message. * Report PIVPINCacheTimeout through ping; Store PIVPINCacheTimeout in profile. * Set PIV pin cache timeout for tsh and teleterm. * Add SetPrompt and GetPrompt to hardware key service interface. * Cleanup; Add test. * Address comments. * Rename to PINCacheTTL. * Apply suggestions. * Fix lint. * Simplify randPIN for test. * Use math/rand/v2. * Update terraform docs. * Revert pin caching change for connect to fix race condition. (#54140) * feat: Hardware Key Agent (#54026) * Add HardwareKeyAgent proto service. * Add hardware key agent client and server implementation. * Add tsh piv agent command. * Use hardware key agent service when available. * * Add config option to Teleport connect to start the hardware key agent server * Add flag to tsh daemon command to start the hardware key agent server * Fix hardware key agent client connection for Windows. * Add hardware key agent service; Add tests. * Minor cleanup. * Move hardware key agent proto to /api. * * Restructure packages based on dependencies. * Add hardware key agent test coverage for RSA, ECDSA, and ED25519 keys. * Add PIV test coverage for RSA keys. * Fix lint. * Fix lint; Fix test. * Address comments. * Address comments. * Fix merge conflict. * feat: Hardware Key Agent - require users to configure certificate (#54118) * * Hardware key agent checks whether a key is configured for Teleport clients before performing a signature. * Add detailed error message and docs for configuring PIV slot certificate. * Add additional checks for mismatched public key on PIV slot, which can occur when generating a new key on a PIV slot with an active login session. * Update api/utils/keys/piv/yubikey.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Apply suggestions from code review Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> * Remove MaxUint32 call to fix builds on 32-bit systems. (#54125) * feat: Hardware Key Agent - command hint (#54090) * Supply command for context on hardware key prompt. * * Include command in Teleport Connect hardware key prompts, excluding tshd commands * Fix proxy host context passed to Teleport connect hardware key prompts * Only use direct service for `tsh login` to avoid jumping between clients * Add new line before command. * Fix story. * Address comments. * Trim forward slash for windows. * Change proxy_host to proxy_hostname; Update comment. * feat: Hardware Key Agent w/ PIN caching - fix cross-cluster support (#54144) * Style hardware key prompt with command in Connect (#54258) * Style hardware key prompt with command in Connect. * Move `CliCommand.tsx` to `components` * Extend stories with a command * Use `CliCommand` component, improve spacing * Wrap command in the dialog * End sentences with a dot * Add a gap between `CliCommand` and errors in `OnlineDocumentGateway` --------- Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com> * feat: Hardware Key Agent - fix socket replacement on Windows (#54126) * Prevent windows from trying to reuse the addr and getting a bind error. * Replace unresponsive windows unix sockets. * Explicitly check for error message instead of os.Stat. * Move windowsBindErrMessage. * Add cross-platform ErrAddrInUse constant. * Move error constants to hardwarekey package. * feat: Hardware Key Agent - initialize hardware key service at start of `tsh daemon` (#54226) * * Initialize shared hardware key service and client store for tshd * Replace CustomHardwareKeyPrompt with SetPrompt * Add lazy loaded tshd event service client and use it to initialize hardware key prompt early. * Address comments; Set TshdEventsClient in daemon service. * Fix test. * Fix potential race condition on global yubikey service prompt. * Add test. * Require ClientStore in `client.Config` (#54227) * Invert config.EnableEscapeSequences into config.DisableEscapeSequences so that the default value (false) results in the desired default behavior. * * Replace MakeDefaultClientConfig with CheckAndSetDefaults * Require ClientStore to be provided in config * Remove CustomHardwareKeyPrompt from config * Set client store in tests that were missing it. * Ensure tsh only initializes client store once. * Client config uses its own client store. * Replace uses of KeysDir with ClientStore. * Remove unused home apth for vnet process. * Remove unnecessary profile re-load and helper function. * Replace sync.Once with atomic; add get/setClientStore. * Fix uncaught merge conflict. * Fix test; Add comment for why we initialize the client store atomically. * Return error when using MemKeyStore for tsh puttyconfig. * Fix merge conflict. * feat: PIV PIN Caching - add file config option (#54328) * Add pin_cache_ttl as file config option. * Add test. * Update lib/config/fileconf.go Co-authored-by: Bernard Kim <bernard@goteleport.com> --------- Co-authored-by: Bernard Kim <bernard@goteleport.com> * Restore namespace in client config. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com> Co-authored-by: Bernard Kim <bernard@goteleport.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of RFD 199
Enrich the PEM encoded hardware private key file, with fallback logic for old, non-enriched private key files.
This makes it so we only need to attest the key during login. This shaves off ~500ms from all non-login commands. It's also necessary when the client is using a hardware key agent to avoid falling back to the direct PIV implementation.
Depends on #53674