Implements RFD-0022 - OpenSSH-compatible Agent Forwarding #6525
Conversation
tcsc
force-pushed
the
trent/key-agent
branch
2 times, most recently
from
5c6105b to
e9797fe
Compare
tcsc
requested review from
alex-kovoy,
klizhentas,
r0mant and
russjones
as code owners
|
@nklaassen @fspmarshall Can you review? |
|
Does the command line option need to be updated, or is this coming in another PR? Seems like it is still a bool, and probably needs an update to the help string as well https://github.com/gravitational/teleport/blob/trent/key-agent/tool/tsh/tsh.go#L327 I'm not sure how difficult this could be, but would it be feasible to test that the correct key agent is actually forwarded when this option is set? I missed the RFD review, but to me the options "yes" and "local" seem a bit unnecessarily confusing. Maybe something like "system" and "tsh", with "yes" as an alias to "system" could be more clear? Just spitballing here, not sure if this is reasonable |
|
@nklaassen - the command line semantics are expected to change. From the RFD:
We could potentially add something like Re: the option value names, we're kinds stuck with "yes" and "no" as they are compatible with the OpenSSH ssh client options. Aliasing "yes" to "system" might be a useful affordance, but I'd be tempted to get feedback from the wild. I can take or leave the name "local", so if we want to change that I have no objections. |
|
@tcsc ahh I was just confused on that point, I thought that As for the option value names, I'm just finding "yes" vs "local" unintuitive - both options could map to either one in my mind. |
Prior to this change, `tsh` will only ever forward the internal key agent managed by `tsh` to a remote machine. This change allows a user to specify that `tsh` should forward either the `tsh`-internal keystore, or the system key agent at `$SSH_AUTH_SOCK`. This change also brings the `-A` command-line option into line with OpenSSH. For more info refer to RFD-0022. See-Also: #1571
$ ./build/tsh login --proxy 3.25.51.119 --user beaker --insecure
Enter password for Teleport user beaker:
WARNING: You are using insecure connection to SSH proxy https://3.25.51.119:3080
> Profile URL: https://3.25.51.119:3080
Logged in as: beaker
Cluster: aws-standalone
Roles: admin
Logins: rowlf
Kubernetes: disabled
Valid until: 2021-05-06 00:56:48 +1000 AEST [valid for 12h0m0s]
Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty
$ ./build/tsh ssh rowlf@auth-node
rowlf@ip-172-31-5-54:~$ ssh-add -l
Could not open a connection to your authentication agent.
rowlf@ip-172-31-5-54:~$ exit
$ ./build/tsh ssh -A rowlf@auth-node
rowlf@ip-172-31-5-54:~$ ssh-add -l
256 SHA256:dR1daFKmKLEDK055QNGbFi6zur2SSl+NOMnxzP4uBwQ [email protected] (ED25519)
2048 SHA256:5FPfhJMZH7x1yfzK9G3IZFqGkopy600C1AOR9sDH0A8 teleport:kermit (RSA-CERT)
2048 SHA256:5FPfhJMZH7x1yfzK9G3IZFqGkopy600C1AOR9sDH0A8 teleport:kermit (RSA)
2048 SHA256:AEML8fwmFdUazCzj+o1wEKBGIEaR33ei1zG4h5eZFU4 teleport:beaker (RSA-CERT)
2048 SHA256:AEML8fwmFdUazCzj+o1wEKBGIEaR33ei1zG4h5eZFU4 teleport:beaker (RSA)
rowlf@ip-172-31-5-54:~$ exit
$ ./build/tsh ssh -o "ForwardAgent local" rowlf@auth-node
rowlf@ip-172-31-5-54:~$ ssh-add -l
2048 SHA256:AEML8fwmFdUazCzj+o1wEKBGIEaR33ei1zG4h5eZFU4 teleport:beaker (RSA-CERT)
2048 SHA256:AEML8fwmFdUazCzj+o1wEKBGIEaR33ei1zG4h5eZFU4 teleport:beaker (RSA)
rowlf@ip-172-31-5-54:~$ exit |
There was a problem hiding this comment.
Couple of nitpicks, but otherwise LGTM. You created a beautifully written RFD btw, especially the diagram, I enjoyed reading it.
| func selectKeyAgent(tc *TeleportClient) agent.Agent { | ||
| switch tc.ForwardAgent { | ||
| case ForwardAgentYes: | ||
| log.Debugf("Selecting System Key Agent") |
There was a problem hiding this comment.
Nit: (derived from https://github.com/golang/go/wiki/CodeReviewComments#error-strings). Let's make our log lines proper english sentences, so:
Selecting system key agent.
There was a problem hiding this comment.
Saw this after hitting Merge, will fix in new PR
|
|
||
| default: | ||
| log.Errorf( | ||
| "Invalid agent forwarding mode %q. Defaulting to %q", |
There was a problem hiding this comment.
Saw this after hitting Merge, will fix in new PR
Prior to this change, `tsh` will only ever forward the internal key agent managed by `tsh` to a remote machine. This change allows a user to specify that `tsh` should forward either the `tsh`-internal keystore, or the system key agent at `$SSH_AUTH_SOCK`. This change also brings the `-A` command-line option into line with OpenSSH. For more info refer to RFD-0022. See-Also: #1571
) Prior to this change, `tsh` will only ever forward the internal key agent managed by `tsh` to a remote machine. This change allows a user to specify that `tsh` should forward either the `tsh`-internal keystore, or the system key agent at `$SSH_AUTH_SOCK`. This change also brings the `-A` command-line option into line with OpenSSH. For more info refer to RFD-0022. See-Also: #1571
Prior to this change,
tshwill only ever forward the internal keyagent managed by
tshto a remote machine.This change allows a user to specify that
tshshould forward eitherthe
tsh-internal keystore, or the system key agent at$SSH_AUTH_SOCK.This change also brings the
-Acommand-line option into line withOpenSSH.
For more info refer to RFD-0022.
See-Also: #1571