[v17] Bound Keypair Backport - Part 2#57961
Merged
timothyb89 merged 7 commits intobranch/v17from Aug 28, 2025
Merged
Conversation
timothyb89
commented
Aug 16, 2025
Comment on lines
+109
to
+110
| case BoundKeypairCA: | ||
| return 17 |
Contributor
Author
There was a problem hiding this comment.
This constant is 18 for branch/v18, and adjusted to 17 for this branch. See discussion for context: https://gravitational.slack.com/archives/C0DF0TPMY/p1755281229605639
Base automatically changed from
timothyb89/v17/bound-keypair-minimal-impl
to
branch/v17
August 16, 2025 01:31
* MWI: Bound Keypair Joining - Minimal Client Implementation This contains a minimal client-side implementation of bound keypair joining for `tbot`. This first iteration supports only preregistered keys, and so adds a new `tbot keypair create` subcommand that generates a keypair and prints a public key that can be copied into a token. In an effort to still take advantange of tbot's secure filesystem abstraction and to not permanently tie the new join method to it, this includes a minimal filesystem wrapper to adapt tbot's destinations to a generic file read/write interface. * Rebase join client to handle interactive rotation messages This updates the client implementation to handle the revised challenge handler signature. Rotation still isn't implemented (see TODOs), but the message handler now explicitly accounts for rotation-type requests from the server. * Fix breakage after upstream changes, idempotent key generation The `keypair generate` command is now idempotent and will not generate a new keypair if one already exists in the specified destination. Also, added a `--format=json` flag to print the key as machine-readable JSON. * Remove unnecessary whitespace * Small TODO and doc comment updates * Fix lints * Mark `keypair create` as a hidden command for now This hides it from `tbot help` so we can opt to tweak the CLI contract before fully releasing the feature. It will be unhidden in the near future. * Fix typo
* MWI: Add new JWT CA for signing bound keypair documents This adds a new JWT CA for signing JWT documents related to bound keypair joining, particularly client state document that clients are expected to present back to auth when rejoining. * Fix issues from code review Removes `bound_keypair` from the list of exportable CAs in tctl, and switches the `legacy` suite algorithm to ECDSAP256 due to hsm compatibility requirements. * Add note about FIPS/HSM compatibility for CA suites
* MWI: Issue and verify join state documents This adds join state document issuance and verification to the bound keypair joining process. This is described in more detail in the [RFD], but in short, this adds a mechanism similar to the generation counter to verify bound keypair recovery events. Each time a recovery is performed, the join counter (stored in the token's status field) is incremented. This value is embedded in a JWT and signed by Auth, and the result is passed to the client alongside their cert bundle. This document effectively gives clients permission to lock themselves out in the future: if another client attempts to use their credentials, the original client will eventually present an outdated join state document, and trigger a lockout. [RFD]: https://github.com/gravitational/teleport/blob/rfd/0205-improved-onprem-joining/rfd/0205-improved-onprem-joining.md * Allow selecting all recovery modes * Remove TODO and debug log * Add tests for join state issuance and verification * Add join state tests for RegisterUsingBoundKeypairMethod Adds some minor error message and comment fixes caught while writing tests. * Fix imports * Fix lints * Fix failing unit test * Add notes about lack of expiry field in join state JWTs
timothyb89
force-pushed
the
timothyb89/v17/bound-keypair-part-two
branch
from
afd3e66 to
49fcb63
Compare
…bound-keypair-part-two
github-actions
Bot
added
backport
machine-id
size/xl
tctl
|
@timothyb89 - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
strideynet
approved these changes
Aug 22, 2025
…bound-keypair-part-two
boxofrad
approved these changes
Aug 27, 2025
zmb3
approved these changes
Aug 27, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This backport includes the following PRs for branch/v17:
Combined with #55037, this catches branch/v17 up to the state branch/v18 was in at the time it was cut. An additional backport or two will catch us up to master.
For reviewers, this is still mostly kept behind an experiment flag, so I don't consider it terribly dangerous to include in a patch release. The most dangerous addition here is probably the new JWT CA, since there's some potential for weird auth behavior around that.
changelog: Add experimental bound keypair joining method, disabled by default behind a flag