gravitational · gzdunek · Sep 16, 2025 · Sep 11, 2025 · Sep 12, 2025 · Sep 12, 2025
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go
diff --git a/gen/proto/go/teleport/lib/teleterm/v1/server.pb.go b/gen/proto/go/teleport/lib/teleterm/v1/server.pb.go
diff --git a/gen/proto/ts/teleport/lib/teleterm/v1/cluster_pb.ts b/gen/proto/ts/teleport/lib/teleterm/v1/cluster_pb.ts
diff --git a/gen/proto/ts/teleport/lib/teleterm/v1/server_pb.ts b/gen/proto/ts/teleport/lib/teleterm/v1/server_pb.ts
diff --git a/lib/client/api.go b/lib/client/api.go
@@ -5453,3 +5453,26 @@ func (tc *TeleportClient) HeadlessApprove(ctx context.Context, headlessAuthentic
 	err = rootClient.UpdateHeadlessAuthenticationState(ctx, headlessAuthenticationID, types.HeadlessAuthenticationState_HEADLESS_AUTHENTICATION_STATE_APPROVED, mfaResp)
 	return trace.Wrap(err)
 }
+
+// CalculateSSHLogins returns the subset of the allowedLogins that exist in
+// the principals of the identity. This is required because SSH authorization
+// only allows using a login that exists in the certificates valid principals.
+// When connecting to servers in a leaf cluster, the root certificate is used,
+// so we need to ensure that we only present the allowed logins that would
+// result in a successful connection, if any exists.
+func CalculateSSHLogins(identityPrincipals []string, allowedLogins []string) ([]string, error) {
+	allowed := make(map[string]struct{})
+	for _, login := range allowedLogins {
+		allowed[login] = struct{}{}
+	}
+
+	var logins []string
+	for _, local := range identityPrincipals {
+		if _, ok := allowed[local]; ok {
+			logins = append(logins, local)
+		}
+	}
+
+	slices.Sort(logins)
+	return logins, nil
+}
diff --git a/lib/client/api_test.go b/lib/client/api_test.go
@@ -26,11 +26,13 @@ import (
 	"io"
 	"math"
 	"os"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/coreos/go-semver/semver"
 	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -1646,3 +1648,48 @@ func TestParsePortMapping(t *testing.T) {
 		})
 	}
 }
+
+func TestCalculateSSHLogins(t *testing.T) {
+	cases := []struct {
+		name              string
+		allowedLogins     []string
+		grantedPrincipals []string
+		expectedLogins    []string
+	}{
+		{
+			name:              "no matching logins",
+			allowedLogins:     []string{"llama"},
+			grantedPrincipals: []string{"fish"},
+		},
+		{
+			name:              "identical logins",
+			allowedLogins:     []string{"llama", "shark", "goose"},
+			grantedPrincipals: []string{"shark", "goose", "llama"},
+			expectedLogins:    []string{"goose", "shark", "llama"},
+		},
+		{
+			name:              "subset of logins",
+			allowedLogins:     []string{"llama"},
+			grantedPrincipals: []string{"shark", "goose", "llama"},
+			expectedLogins:    []string{"llama"},
+		},
+		{
+			name:              "no allowed logins",
+			grantedPrincipals: []string{"shark", "goose", "llama"},
+		},
+		{
+			name:          "no granted logins",
+			allowedLogins: []string{"shark", "goose", "llama"},
+		},
+	}
+
+	for _, test := range cases {
+		t.Run(test.name, func(t *testing.T) {
+			logins, err := CalculateSSHLogins(test.grantedPrincipals, test.allowedLogins)
+			require.NoError(t, err)
+			require.Empty(t, cmp.Diff(logins, test.expectedLogins, cmpopts.SortSlices(func(a, b string) bool {
+				return strings.Compare(a, b) < 0
+			})))
+		})
+	}
+}
diff --git a/lib/teleterm/apiserver/handler/handler_clusters.go b/lib/teleterm/apiserver/handler/handler_clusters.go
@@ -101,7 +101,6 @@ func newAPIRootCluster(cluster *clusters.Cluster) *api.Cluster {
 		Connected: cluster.Connected(),
 		LoggedInUser: &api.LoggedInUser{
 			Name:            loggedInUser.Name,
-			SshLogins:       loggedInUser.SSHLogins,
 			Roles:           loggedInUser.Roles,
 			ActiveRequests:  loggedInUser.ActiveRequests,
 			IsDeviceTrusted: cluster.HasDeviceTrustExtensions(),
@@ -155,9 +154,8 @@ func newAPILeafCluster(leaf clusters.LeafCluster) *api.Cluster {
 		Connected: leaf.Connected,
 		Leaf:      true,
 		LoggedInUser: &api.LoggedInUser{
-			Name:      leaf.LoggedInUser.Name,
-			SshLogins: leaf.LoggedInUser.SSHLogins,
-			Roles:     leaf.LoggedInUser.Roles,
+			Name:  leaf.LoggedInUser.Name,
+			Roles: leaf.LoggedInUser.Roles,
 		},
 	}
 }
diff --git a/lib/teleterm/apiserver/handler/handler_servers.go b/lib/teleterm/apiserver/handler/handler_servers.go
@@ -61,5 +61,6 @@ func newAPIServer(server clusters.Server) *api.Server {
 		Addr:     server.GetAddr(),
 		SubKind:  server.GetSubKind(),
 		Labels:   apiLabels,
+		Logins:   server.Logins,
 	}
 }
diff --git a/lib/teleterm/clusters/cluster_servers.go b/lib/teleterm/clusters/cluster_servers.go
@@ -33,10 +33,12 @@ import (
 	"github.com/gravitational/teleport/lib/teleterm/api/uri"
 )
 
-// Database describes database
+// Server describes an SSH node.
 type Server struct {
-	// URI is the database URI
+	// URI is the server URI
 	URI uri.ResourceURI
+	// Subset of logins allowed by the certificate and RBAC rules.
+	Logins []string
 
 	types.Server
 }

diff --git a/lib/teleterm/services/unifiedresources/unifiedresources.go b/lib/teleterm/services/unifiedresources/unifiedresources.go
@@ -27,6 +27,7 @@ import (
 	apiclient "github.com/gravitational/teleport/api/client"
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/types"
+	libclient "github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/teleterm/clusters"
 )
 
@@ -66,10 +67,15 @@ func List(ctx context.Context, cluster *clusters.Cluster, client apiclient.ListU
 		requiresRequest := enrichedResource.RequiresRequest
 		switch r := enrichedResource.ResourceWithLabels.(type) {
 		case types.Server:
+			logins, err := libclient.CalculateSSHLogins(cluster.GetLoggedInUser().SSHLogins, enrichedResource.Logins)
+			if err != nil {
+				return nil, trace.Wrap(err)
+			}
 			response.Resources = append(response.Resources, UnifiedResource{
 				Server: &clusters.Server{
 					URI:    cluster.URI.AppendServer(r.GetName()),
 					Server: r,
+					Logins: logins,
 				},
 				RequiresRequest: requiresRequest,
 			})

diff --git a/lib/teleterm/services/unifiedresources/unififedresources_test.go b/lib/teleterm/services/unifiedresources/unififedresources_test.go
@@ -97,7 +97,7 @@ func TestUnifiedResourcesList(t *testing.T) {
 	require.NoError(t, err)
 
 	mockedResources := []*proto.PaginatedResource{
-		{Resource: &proto.PaginatedResource_Node{Node: node.(*types.ServerV2)}},
+		{Resource: &proto.PaginatedResource_Node{Node: node.(*types.ServerV2)}, Logins: []string{"ec2-user"}},
 		{Resource: &proto.PaginatedResource_DatabaseServer{DatabaseServer: database}},
 		{Resource: &proto.PaginatedResource_KubernetesServer{KubernetesServer: kube}},
 		{Resource: &proto.PaginatedResource_AppServer{AppServer: app}},
@@ -117,6 +117,7 @@ func TestUnifiedResourcesList(t *testing.T) {
 	require.Equal(t, UnifiedResource{Server: &clusters.Server{
 		URI:    uri.NewClusterURI(cluster.ProfileName).AppendServer(node.GetName()),
 		Server: node,
+		Logins: nil, // because the cluster has no SSH logins
 	}}, response.Resources[0])
 
 	require.Equal(t, UnifiedResource{Database: &clusters.Database{