Add tsh config helper to generate OpenSSH client configuration
#7437
Conversation
timothyb89
requested review from
xacrimon,
fspmarshall,
quinqu and
inertial-frame
timothyb89
requested review from
klizhentas,
r0mant and
russjones
as code owners
|
Hi all, I've got a few open questions I'd especially like some feedback on here:
|
There was a problem hiding this comment.
Just a couple of general implementation questions:
- How does this work with IP addresses? A lot of customers/PoCs still use
ssh [email protected]- will this handle IP ranges OK? - What happens if
proxy_service.public_addrisn't set for a given cluster?
They won't work as-is, since both the config generation and known_hosts depend on having some predictable way of addressing nodes for a particular cluster. The existing OpenSSH client guide notes a similar limitation however as far as I can tell the node host certificates have their IPs listed as principals as well. It could probably be made to work if we listed out every individual node IP in both the generated config and in Maybe this is a good candidate to implement in a future pass, alongside
It still generates the same output on my test cluster, I assume the client falls back to the address as written by the user if the public address is unset? |
This adds a new subcommand, `tsh config ssh`, to generate OpenSSH client configuration snippets that allow users to connect directly to nodes using the standard `ssh` client. To support this change, tsh's `known_hosts` file has been modified to match the format required by OpenSSH when verifying hosts against certificates. Old-style `known_hosts` entries will be automatically replaced and pruned when the end user first logs in with an updated `tsh`. Small changes were additionally made to the keystore and key agent to pass the proxy host into `AddKnownHostKeys` and to support wildcard hostnames in `known_hosts` entries.
This changes the config helper to use just `tsh config` per suggestion from @r0mant.
timothyb89
force-pushed
the
timothyb89/ssh-config-helper
branch
from
18e01e3 to
4a02b15
Compare
timothyb89
changed the title
tsh config ssh helper to generate OpenSSH client configurationtsh config helper to generate OpenSSH client configuration
| // exists. If not, pass it through. | ||
| for _, entry := range oldEntries { | ||
| if canPruneOldHostsEntry(entry, newEntries) { | ||
| log.Debugf("Pruning old known_hosts entry for %s.", entry.hosts[0]) |
There was a problem hiding this comment.
Old entries have their length checked in isOldStyleHostsEntry() and are guaranteed to have exactly 1 host entry. Additionally, crypto/ssh's ParseKnownHosts rejects lines without any hosts so the list should never be empty to begin with.
If this is still problematic for code style reasons I'm happy to add more checks, though.
| Host *.{{ .clusterName }} !{{ .proxyHost }} | ||
| Port 3022 | ||
| {{- if .leaf }} | ||
| ProxyCommand ssh -p {{ .proxyPort }} {{ .proxyHost }} -s proxy:$(echo %h | cut -d '.' -f 1):%p@{{ .clusterName }} |
There was a problem hiding this comment.
Can $(echo %h | cut -d '.' -f 1) be done by Go code instead and pasted here as a template variable?
Same below.
There was a problem hiding this comment.
It is possible but would require another subcommand of some sort to be built into tsh. Per advice from @russjones we've decided to defer for a bit as the upcoming tsh connect functionality could supersede any text manipulation we do.
timothyb89
force-pushed
the
timothyb89/ssh-config-helper
branch
from
3045327 to
8edfa87
Compare
Co-authored-by: Roman Tkachenko <[email protected]>
…al/teleport into timothyb89/ssh-config-helper
* Add `tsh config ssh` helper to generate OpenSSH client configuration This adds a new subcommand, `tsh config ssh`, to generate OpenSSH client configuration snippets that allow users to connect directly to nodes using the standard `ssh` client. To support this change, tsh's `known_hosts` file has been modified to match the format required by OpenSSH when verifying hosts against certificates. Old-style `known_hosts` entries will be automatically replaced and pruned when the end user first logs in with an updated `tsh`. Small changes were additionally made to the keystore and key agent to pass the proxy host into `AddKnownHostKeys` and to support wildcard hostnames in `known_hosts` entries. * Fix broken link to Trusted Clusters documentation * Use text/template for SSH config generation; wrap all errors. * Rename config helper from `config ssh` to just `config` This changes the config helper to use just `tsh config` per suggestion from @r0mant. * Fix known_hosts_migrate_test after rebase * First pass at review feedback * Update docs/pages/server-access/guides/openssh.mdx Co-authored-by: Roman Tkachenko <[email protected]> * Ensure top-level hostnames never match wildcard patterns * Add additional host count check to `canPruneOldHostsEntry`. * Replace excess call to `isOldStyleHostsEntry` with documented invariant * Trim trailing dots on absolute hostnames in `matchesWildcard` Co-authored-by: Roman Tkachenko <[email protected]>
…) (#7651) * Add `tsh config ssh` helper to generate OpenSSH client configuration This adds a new subcommand, `tsh config ssh`, to generate OpenSSH client configuration snippets that allow users to connect directly to nodes using the standard `ssh` client. To support this change, tsh's `known_hosts` file has been modified to match the format required by OpenSSH when verifying hosts against certificates. Old-style `known_hosts` entries will be automatically replaced and pruned when the end user first logs in with an updated `tsh`. Small changes were additionally made to the keystore and key agent to pass the proxy host into `AddKnownHostKeys` and to support wildcard hostnames in `known_hosts` entries. * Fix broken link to Trusted Clusters documentation * Use text/template for SSH config generation; wrap all errors. * Rename config helper from `config ssh` to just `config` This changes the config helper to use just `tsh config` per suggestion from @r0mant. * Fix known_hosts_migrate_test after rebase * First pass at review feedback * Update docs/pages/server-access/guides/openssh.mdx Co-authored-by: Roman Tkachenko <[email protected]> * Ensure top-level hostnames never match wildcard patterns * Add additional host count check to `canPruneOldHostsEntry`. * Replace excess call to `isOldStyleHostsEntry` with documented invariant * Trim trailing dots on absolute hostnames in `matchesWildcard` Co-authored-by: Roman Tkachenko <[email protected]> Co-authored-by: Roman Tkachenko <[email protected]>
This adds a new subcommand,
tsh config, to generate OpenSSH client configuration snippets that allow users to connect directly to nodes using the standardsshclient.To support this change, tsh's
known_hostsfile has been modified to match the format required by OpenSSH when verifying hosts against certificates. Old-styleknown_hostsentries will be automatically replaced and pruned when the end user first logs in with an updatedtsh. Small changes were additionally made to the keystore and key agent to pass the proxy host intoAddKnownHostKeysand to support wildcard hostnames inknown_hostsentries.As an example, on my machine, the generated configuration from
tsh configlooks like this:... and the revised
~/.tsh/known_hostsformat looks like this:Fixes #3734