[v16] Hardware Key Agent w/ PIN caching#54298
Merged
Joerger merged 21 commits intobranch/v16from Apr 29, 2025
Merged
Conversation
Contributor
|
Amplify deployment status
|
Joerger
force-pushed
the
joerger/v16/hardware-key-agent-backport
branch
from
749c1fe to
3e192e4
Compare
Joerger
force-pushed
the
joerger/v16/hardware-key-agent-backport
branch
from
3e192e4 to
23dbbd8
Compare
Joerger
commented
Apr 25, 2025
| @@ -63,20 +65,15 @@ export function AskPin(props: { | |||
|
|
|||
| <DialogContent mb={4}> | |||
| <Flex flexDirection="column" gap={4} alignItems="flex-start"> | |||
Contributor
Author
There was a problem hiding this comment.
@gzdunek @ravicious I had to use Flex instead of Stack for this v16 backport since #52003 wasn't backported. I tested it and it looks fine to me, but please let me know if it needs adjustments.
Contributor
There was a problem hiding this comment.
I'd replace gap={4} with gap={1} in AskPin.tsx and Touch.tsx to match styling on master.
We also need to wrap some elements in OnlineDocumentGateway in Flex, the same way it was done in f8bc47b. Otherwise, there won't be a gap between the CliCommand and errors.
Contributor
Author
There was a problem hiding this comment.
We also need to wrap some elements in OnlineDocumentGateway in Flex, the same way it was done in f8bc47b.
Sorry, I'm not following the suggestion. Which elements do I need to add in the Flex?
Contributor
There was a problem hiding this comment.
I meant wrapping the form, CliCommand and errors. I pushed the fix in 9bf9bdb.
I also decreased the gap size in AskPin.tsx and Touch.tsx.
Member
There was a problem hiding this comment.
I know that at this point it's too late, but I have a v16 backport for Stack in #52227. Bartosz asked me about it one time and then he didn't need it anymore, hence why it's a draft.
Contributor
Author
There was a problem hiding this comment.
If we can get it merged by tomorrow I can rebase it into this PR before I open it, but yeah probably too late
Member
There was a problem hiding this comment.
Nah, don't worry about it since you've already rewrote it to use Flex.
…53671) * Move hardware key files into new hardwarekey package. * Tidy up PIVSlot logic and remove its piv-go dependency. * Add godoc comments to cliPrompt methods; Update cliprompt.go license year. * Add godocs.
…dapted PIV implementation (#53674) * Add hardware key service interface; Add mock service for tests. * Add piv implementation of hardware key service. * Remove old yubikey parsing logic in favor of hardwarekey.PrivateKeyRef. * Remove HardwareSigner in favor of hardwarekey.PrivateKey. * Add test; Cleanup comment; Don't require pin/touch prompts in tests with MockHarwdareKeyService by default. * Fix tests. * Add TODOs. * Use unhashed digest for WarmupHardwareKey. * Address comments. * Fix race condition in test service. * Address comments.
* Remove YubiKeyPrivateKey * Remove keys package dependencies from PIV implementation. * Move PIV implementation into new piv package. * Move newPrivateKey into YubiKeyService.NewPrivateKey. * * Clean up separation of concerns between YubiKey and YubiKeyService * Replace hardwarekey.PrivateKey cache with YubiKey cache for proper support for multiple clusters or yubikeys * Add YubiKey version field for use in version specific signature edge cases * Change sharedPIVConnection connection from an embedded field. * Address comments. * Add getKeyRef helper method.
…y file (#53675) * Enrich hardware key PEM file. * Add test. * Validate PrivateKeyRef before/after encode/decode. * Update api/utils/keys/hardwarekey/hardwarekey.go Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com> * Validate key ref in hardware key service implementations; Fix merge conflict. --------- Co-authored-by: STeve (Xin) Huang <xin.huang@goteleport.com>
…53563) * Replace prompt in keystore with hardware key service in client store. * Add client StoreConfig and StoreConfigOpt. * Add client store and key store tests. * Provide nil service for ProfileStatus's AppsForCluster and DatabasesForCluster methods. * Address comments. * Fix test. * Fix test with cmp.Diff.
…re to hardware key prompts (#53703) * Propagate contextual key info from key store through to hardware key prompts. * Remove HardwareKeyPromptConstructor. * Cleanup; add tests.
…riables (#53974) * Consolidate process-wide shared prompt mutex and yubikey connections into a shared YubiKeyService, which will also share the prompt. * Fix interactive piv service tests. * Fix wording on comment.
* Add PinCachingPrompt. * Add PINCacheTimeout to auth preference proto message. * Report PIVPINCacheTimeout through ping; Store PIVPINCacheTimeout in profile. * Set PIV pin cache timeout for tsh and teleterm. * Add SetPrompt and GetPrompt to hardware key service interface. * Cleanup; Add test. * Address comments. * Rename to PINCacheTTL. * Apply suggestions. * Fix lint. * Simplify randPIN for test. * Use math/rand/v2. * Update terraform docs.
* Add HardwareKeyAgent proto service. * Add hardware key agent client and server implementation. * Add tsh piv agent command. * Use hardware key agent service when available. * * Add config option to Teleport connect to start the hardware key agent server * Add flag to tsh daemon command to start the hardware key agent server * Fix hardware key agent client connection for Windows. * Add hardware key agent service; Add tests. * Minor cleanup. * Move hardware key agent proto to /api. * * Restructure packages based on dependencies. * Add hardware key agent test coverage for RSA, ECDSA, and ED25519 keys. * Add PIV test coverage for RSA keys. * Fix lint. * Fix lint; Fix test. * Address comments. * Address comments. * Fix merge conflict.
…4118) * * Hardware key agent checks whether a key is configured for Teleport clients before performing a signature. * Add detailed error message and docs for configuring PIV slot certificate. * Add additional checks for mismatched public key on PIV slot, which can occur when generating a new key on a PIV slot with an active login session. * Update api/utils/keys/piv/yubikey.go Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> * Apply suggestions from code review Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com> --------- Co-authored-by: Zac Bergquist <zac.bergquist@goteleport.com> Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Supply command for context on hardware key prompt. * * Include command in Teleport Connect hardware key prompts, excluding tshd commands * Fix proxy host context passed to Teleport connect hardware key prompts * Only use direct service for `tsh login` to avoid jumping between clients * Add new line before command. * Fix story. * Address comments. * Trim forward slash for windows. * Change proxy_host to proxy_hostname; Update comment.
* Style hardware key prompt with command in Connect. * Move `CliCommand.tsx` to `components` * Extend stories with a command * Use `CliCommand` component, improve spacing * Wrap command in the dialog * End sentences with a dot * Add a gap between `CliCommand` and errors in `OnlineDocumentGateway` --------- Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
* Prevent windows from trying to reuse the addr and getting a bind error. * Replace unresponsive windows unix sockets. * Explicitly check for error message instead of os.Stat. * Move windowsBindErrMessage. * Add cross-platform ErrAddrInUse constant. * Move error constants to hardwarekey package.
…f `tsh daemon` (#54226) * * Initialize shared hardware key service and client store for tshd * Replace CustomHardwareKeyPrompt with SetPrompt * Add lazy loaded tshd event service client and use it to initialize hardware key prompt early. * Address comments; Set TshdEventsClient in daemon service. * Fix test. * Fix potential race condition on global yubikey service prompt. * Add test.
Joerger
force-pushed
the
joerger/v16/hardware-key-agent-backport
branch
from
682b758 to
5549e2e
Compare
* Invert config.EnableEscapeSequences into config.DisableEscapeSequences so that the default value (false) results in the desired default behavior. * * Replace MakeDefaultClientConfig with CheckAndSetDefaults * Require ClientStore to be provided in config * Remove CustomHardwareKeyPrompt from config * Set client store in tests that were missing it. * Ensure tsh only initializes client store once. * Client config uses its own client store. * Replace uses of KeysDir with ClientStore. * Remove unused home apth for vnet process. * Remove unnecessary profile re-load and helper function. * Replace sync.Once with atomic; add get/setClientStore. * Fix uncaught merge conflict. * Fix test; Add comment for why we initialize the client store atomically. * Return error when using MemKeyStore for tsh puttyconfig. * Fix merge conflict.
* Add pin_cache_ttl as file config option. * Add test. * Update lib/config/fileconf.go Co-authored-by: Bernard Kim <bernard@goteleport.com> --------- Co-authored-by: Bernard Kim <bernard@goteleport.com>
Joerger
force-pushed
the
joerger/v16/hardware-key-agent-backport
branch
from
5549e2e to
62d6225
Compare
github-actions
Bot
added
backport
documentation
size/xl
tctl
|
@Joerger - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
rosstimothy
approved these changes
Apr 29, 2025
hugoShaka
approved these changes
Apr 29, 2025
public-teleport-github-review-bot
Bot
removed the request for review
from EdwardDowling
Contributor
Author
|
@rosstimothy Can this get a flaky test skip? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changelog: Add a Hardware Key Agent to Teleport Connect along with other significant UX improvements for Hardware Key support. With the agent enabled, Teleport Connect will handle prompts on behalf of other Teleport Clients (tsh, tctl), with an additional option to cache the PIN between client calls (New cluster option:cap.hardware_key.pin_cache_ttl).
Backports the following PRs from the Hardware Key Agent w/ PIN caching tracker issue.
api/utils/keys/hardwarekeypackage #53671hardwarekey.Serviceinterface with adapted PIV implementation #53674api/harwdarekey/pivpackage #53677DeleteProfiletoclient.ProfileStore#53781tsh daemon#54226client.Config#54227I left out follow ups and tangentially related PRs which have no impact on the feature to reduce noise.
Note that I also left out #53598 which was backported to v17 since #45995 was not backported to v16.