[vnet] feat: forward SSH connections to target

lib/client/cluster_client.go

@@ -282,28 +282,66 @@ func (c *ClusterClient) SessionSSHConfig(ctx context.Context, user string, targe
 		return sshConfig, nil
 	}
 
-	keyRing, err := c.tc.localAgent.GetKeyRing(target.Cluster, WithAllCerts...)
+	newKeyRing, completedMFA, err := c.SessionSSHKeyRing(ctx, user, target)
 	if err != nil {
-		return nil, trace.Wrap(MFARequiredUnknown(err))
+		return nil, trace.Wrap(err)
+	}
+	if !completedMFA {
+		// The caller relies on this function returning an error if
+		// target.MFACheck is nil and session MFA was not actually required.
+		return nil, trace.Wrap(services.ErrSessionMFANotRequired)
+	}
+
+	am, err := newKeyRing.AsAuthMethod()
+	if err != nil {
+		return nil, trace.Wrap(ceremonyFailedErr{err})
+	}
+
+	sshConfig.Auth = []ssh.AuthMethod{am}
+	return sshConfig, nil
+}
+
+// SessionSSHKeyRing returns a KeyRing valid for an SSH session to the target.
+// If per session MFA is required to establish the connection, then the MFA
+// ceremony will be performed. If per session MFA is not required, the user's
+// base KeyRing for the cluster will be returned.
+func (c *ClusterClient) SessionSSHKeyRing(ctx context.Context, user string, target NodeDetails) (keyRing *KeyRing, completedMFA bool, err error) {
+	ctx, span := c.Tracer.Start(
+		ctx,
+		"clusterClient/SessionSSHKeyRing",
+		oteltrace.WithSpanKind(oteltrace.SpanKindClient),
+		oteltrace.WithAttributes(
+			attribute.String("cluster", c.tc.SiteName),
+		),
+	)
+	defer span.End()
+
+	baseKeyRing, err := c.tc.localAgent.GetKeyRing(target.Cluster, WithSSHCerts{})
+	if err != nil {
+		return nil, false, trace.Wrap(MFARequiredUnknown(err))
+	}
+
+	if target.MFACheck != nil && !target.MFACheck.Required {
+		return baseKeyRing, false, nil
 	}
 
 	// Always connect to root for getting new credentials, but attempt to reuse
 	// the existing client if possible.
-	rootClusterName, err := keyRing.RootClusterName()
+	rootClusterName, err := baseKeyRing.RootClusterName()
 	if err != nil {
-		return nil, trace.Wrap(MFARequiredUnknown(err))
+		return nil, false, trace.Wrap(MFARequiredUnknown(err))
 	}
 
 	mfaClt := c
 	if target.Cluster != rootClusterName {
 		cfg, err := c.ProxyClient.ClientConfig(ctx, rootClusterName)
 		if err != nil {
-			return nil, trace.Wrap(err)
+			return nil, false, trace.Wrap(err)
 		}
 
 		authClient, err := authclient.NewClient(cfg)
 		if err != nil {
-			return nil, trace.Wrap(MFARequiredUnknown(err))
+			return nil, false, trace.Wrap(MFARequiredUnknown(err))
 		}
 
 		mfaClt = &ClusterClient{
@@ -326,20 +364,19 @@ func (c *ClusterClient) SessionSSHConfig(ctx context.Context, user string, targe
 			RouteToCluster: target.Cluster,
 			MFACheck:       target.MFACheck,
 		},
-		keyRing,
+		baseKeyRing.Copy(),
 	)
 	if err != nil {
-		return nil, trace.Wrap(err)
+		if errors.Is(err, services.ErrSessionMFANotRequired) {
+			log.DebugContext(ctx, "Session MFA was not required, returning original KeyRing")
+			return baseKeyRing, false, nil
+		}
+		log.DebugContext(ctx, "Error performing session MFA ceremony", "error", err)
+		return nil, false, trace.Wrap(err)
 	}
 
 	log.DebugContext(ctx, "Issued single-use user certificate after an MFA check")
-	am, err := result.KeyRing.AsAuthMethod()
-	if err != nil {
-		return nil, trace.Wrap(ceremonyFailedErr{err})
-	}
-
-	sshConfig.Auth = []ssh.AuthMethod{am}
-	return sshConfig, nil
+	return result.KeyRing, true, nil
 }
 
 // prepareUserCertsRequest creates a [proto.UserCertsRequest] with the fields