From 6df9b1b17870e91d82ed6de567c57709f4bdc434 Mon Sep 17 00:00:00 2001 From: joerger Date: Wed, 15 Oct 2025 17:05:42 -0700 Subject: [PATCH 1/3] Set AddKeysToAgent to no for WebUI clients; Remove unused code. --- lib/client/api.go | 18 ------------------ lib/web/files.go | 1 + lib/web/terminal.go | 1 + 3 files changed, 2 insertions(+), 18 deletions(-) diff --git a/lib/client/api.go b/lib/client/api.go index 5180ff45509ce..312875e694430 100644 --- a/lib/client/api.go +++ b/lib/client/api.go @@ -539,24 +539,6 @@ type CachePolicy struct { NeverExpires bool } -// MakeDefaultConfig returns default client config. -// If store is not provided, it will default to in-memory storage without -// hardware key support. This should only be used with static auth methods -// (TLS and AuthMethods fields). -func MakeDefaultConfig(store *Store) *Config { - if store == nil { - store = NewMemClientStore() - } - return &Config{ - Stdout: os.Stdout, - Stderr: os.Stderr, - Stdin: os.Stdin, - AddKeysToAgent: AddKeysToAgentAuto, - Tracer: tracing.NoopProvider().Tracer("TeleportClient"), - ClientStore: store, - } -} - func (c *Config) CheckAndSetDefaults() error { if c.ClientStore == nil { if c.TLS == nil && c.AuthMethods == nil { diff --git a/lib/web/files.go b/lib/web/files.go index 27e8116fdcc6b..670915a2b69ce 100644 --- a/lib/web/files.go +++ b/lib/web/files.go @@ -306,6 +306,7 @@ func (f *fileTransfer) createClient(req fileTransferRequest, httpReq *http.Reque cfg.HostPort = hostPort cfg.ClientAddr = httpReq.RemoteAddr cfg.PROXYSigner = proxySigner + cfg.AddKeysToAgent = client.AddKeysToAgentNo tc, err := client.NewClient(cfg) if err != nil { diff --git a/lib/web/terminal.go b/lib/web/terminal.go index 6a604db2818cb..5917a8e25f2ea 100644 --- a/lib/web/terminal.go +++ b/lib/web/terminal.go @@ -519,6 +519,7 @@ func (t *TerminalHandler) makeClient(ctx context.Context, stream *terminal.Strea clientConfig.ClientAddr = clientAddr clientConfig.Tracer = t.tracer clientConfig.SSHDialTimeout = t.sshDialTimeout + clientConfig.AddKeysToAgent = client.AddKeysToAgentNo if len(t.interactiveCommand) > 0 { clientConfig.InteractiveCommand = true From dc269c2531b6d8a6a952a3fab23501e6581183f3 Mon Sep 17 00:00:00 2001 From: joerger Date: Thu, 16 Oct 2025 15:03:22 -0700 Subject: [PATCH 2/3] Fix Signers method which overwrites local agent keys with system agent keys. --- lib/client/keyagent.go | 2 +- lib/web/apiserver.go | 1 + lib/web/files.go | 1 - lib/web/terminal.go | 1 - 4 files changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/client/keyagent.go b/lib/client/keyagent.go index 9111e3df164d2..e901f61822fc3 100644 --- a/lib/client/keyagent.go +++ b/lib/client/keyagent.go @@ -664,7 +664,7 @@ func (a *LocalKeyAgent) Signers() ([]ssh.Signer, error) { if err != nil { return nil, trace.Wrap(err) } - agentSigners = append(signers, sshAgentSigners...) + agentSigners = append(agentSigners, sshAgentSigners...) } // Filter out non-certificates (like regular public SSH keys stored in the SSH agent). diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go index 191158b7364fa..d15e50d365e0a 100644 --- a/lib/web/apiserver.go +++ b/lib/web/apiserver.go @@ -5318,6 +5318,7 @@ func makeTeleportClientConfig(ctx context.Context, sctx *SessionContext) (*clien HostKeyCallback: callback, TLSRoutingEnabled: proxyListenerMode == types.ProxyListenerMode_Multiplex, Tracer: apitracing.DefaultProvider().Tracer("webterminal"), + AddKeysToAgent: client.AddKeysToAgentNo, } return config, nil diff --git a/lib/web/files.go b/lib/web/files.go index 670915a2b69ce..27e8116fdcc6b 100644 --- a/lib/web/files.go +++ b/lib/web/files.go @@ -306,7 +306,6 @@ func (f *fileTransfer) createClient(req fileTransferRequest, httpReq *http.Reque cfg.HostPort = hostPort cfg.ClientAddr = httpReq.RemoteAddr cfg.PROXYSigner = proxySigner - cfg.AddKeysToAgent = client.AddKeysToAgentNo tc, err := client.NewClient(cfg) if err != nil { diff --git a/lib/web/terminal.go b/lib/web/terminal.go index 5917a8e25f2ea..6a604db2818cb 100644 --- a/lib/web/terminal.go +++ b/lib/web/terminal.go @@ -519,7 +519,6 @@ func (t *TerminalHandler) makeClient(ctx context.Context, stream *terminal.Strea clientConfig.ClientAddr = clientAddr clientConfig.Tracer = t.tracer clientConfig.SSHDialTimeout = t.sshDialTimeout - clientConfig.AddKeysToAgent = client.AddKeysToAgentNo if len(t.interactiveCommand) > 0 { clientConfig.InteractiveCommand = true From 2edc57526ca0799f9a089f5b2ff1f8b6a54181ec Mon Sep 17 00:00:00 2001 From: joerger Date: Thu, 16 Oct 2025 16:01:58 -0700 Subject: [PATCH 3/3] Add test. --- lib/client/keyagent_test.go | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/lib/client/keyagent_test.go b/lib/client/keyagent_test.go index ac10543d059af..6bf0c11712043 100644 --- a/lib/client/keyagent_test.go +++ b/lib/client/keyagent_test.go @@ -278,6 +278,28 @@ func TestLoadKey(t *testing.T) { } } +func TestSigners(t *testing.T) { + s := makeSuite(t) + keyAgent := s.newKeyAgent(t) + + // add the key to the local and system agent. + err := keyAgent.AddKeyRing(s.keyRing) + require.NoError(t, err) + + // Check that the ssh cert (signer) appears three times: + // - from the client store + // - from the local agent + // - from the system agent + signers, err := keyAgent.Signers() + require.NoError(t, err) + require.Len(t, signers, 3) + + // non ssh certs should be filtered out + for i, signer := range signers { + require.True(t, sshutils.IsSSHCertType(signer.PublicKey().Type()), "signer %d has unexpected type %s", i, signer.PublicKey().Type()) + } +} + type caType struct { signer ssh.Signer trustedCerts authclient.TrustedCerts