Added forwarding SSH server.

constants.go

@@ -67,6 +67,9 @@ const (
 	// ComponentNode is SSH node (SSH server serving requests)
 	ComponentNode = "node"
 
+	// ComponentNode is SSH node (SSH server serving requests)
+	ComponentForwardingNode = "node:forward"
+
 	// ComponentProxy is SSH proxy (SSH server forwarding connections)
 	ComponentProxy = "proxy"
 
@@ -79,6 +82,15 @@ const (
 	// ComponentSubsystemProxy is the proxy subsystem.
 	ComponentSubsystemProxy = "subsystem:proxy"
 
+	// ComponentLocalTerm is a terminal on a regular SSH node.
+	ComponentLocalTerm = "term:local"
+
+	// ComponentRemoteTerm is a terminal on a forwarding SSH node.
+	ComponentRemoteTerm = "term:remote"
+
+	// ComponentRemoteSubsystem is subsystem on a forwarding SSH node.
+	ComponentRemoteSubsystem = "subsystem:remote"
+
 	// ComponentAuditLog is audit log component
 	ComponentAuditLog = "auditlog"
 
@@ -216,6 +228,9 @@ const (
 	TraitInternalRoleVariable = "{{internal.logins}}"
 )
 
+// SCP is Secure Copy.
+const SCP = "scp"
+
 // Root is *nix system administrator account name.
 const Root = "root"
 

integration/helpers.go

@@ -253,12 +253,7 @@ func (i *TeleInstance) CreateEx(trustedSecrets []*InstanceSecrets, tconf *servic
 		tconf = service.MakeDefaultConfig()
 	}
 	tconf.DataDir = dataDir
-	tconf.Auth.ClusterConfig, err = services.NewClusterConfig(services.ClusterConfigSpecV3{
-		SessionRecording: services.RecordAtNode,
-	})
-	if err != nil {
-		return trace.Wrap(err)
-	}
+	tconf.Auth.ClusterConfig = services.DefaultClusterConfig()
 	tconf.Auth.ClusterName, err = services.NewClusterName(services.ClusterNameSpecV2{
 		ClusterName: i.Secrets.SiteName,
 	})
@@ -353,7 +348,7 @@ func (i *TeleInstance) CreateEx(trustedSecrets []*InstanceSecrets, tconf *servic
 		if err != nil {
 			return trace.Wrap(err)
 		}
-		user.Key.Cert, err = auth.GenerateUserCert(user.Key.Pub, teleUser, logins, ttl, true, teleport.CompatibilityNone)
+		user.Key.Cert, err = auth.GenerateUserCert(user.Key.Pub, teleUser, logins, ttl, true, true, teleport.CompatibilityNone)
 		if err != nil {
 			return err
 		}

lib/auth/auth.go

@@ -231,7 +231,7 @@ func (s *AuthServer) GenerateHostCert(hostPublicKey []byte, hostID, nodeName, cl
 
 // GenerateUserCert generates user certificate, it takes pkey as a signing
 // private key (user certificate authority)
-func (s *AuthServer) GenerateUserCert(key []byte, user services.User, allowedLogins []string, ttl time.Duration, canForwardAgents bool, compatibility string) ([]byte, error) {
+func (s *AuthServer) GenerateUserCert(key []byte, user services.User, allowedLogins []string, ttl time.Duration, canForwardAgents bool, canPortForward bool, compatibility string) ([]byte, error) {
 	domainName, err := s.GetDomainName()
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -256,6 +256,7 @@ func (s *AuthServer) GenerateUserCert(key []byte, user services.User, allowedLog
 		Roles:                 user.GetRoles(),
 		Compatibility:         compatibility,
 		PermitAgentForwarding: canForwardAgents,
+		PermitPortForwarding:  canPortForward,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -742,7 +743,8 @@ func (s *AuthServer) NewWebSession(userName string) (services.WebSession, error)
 		AllowedLogins:       allowedLogins,
 		TTL:                 bearerTokenTTL,
 		PermitAgentForwarding: roles.CanForwardAgents(),
-		Roles: user.GetRoles(),
+		PermitPortForwarding:  roles.CanPortForward(),
+		Roles:                 user.GetRoles(),
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)

lib/auth/auth_with_roles.go

@@ -468,7 +468,7 @@ func (a *AuthWithRoles) GenerateUserCert(key []byte, username string, ttl time.D
 		return nil, trace.Wrap(err)
 	}
 	return a.authServer.GenerateUserCert(
-		key, user, allowedLogins, sessionTTL, checker.CanForwardAgents(), compatibility)
+		key, user, allowedLogins, sessionTTL, checker.CanForwardAgents(), checker.CanPortForward(), compatibility)
 }
 
 func (a *AuthWithRoles) CreateSignupToken(user services.UserV1, ttl time.Duration) (token string, e error) {

lib/auth/init.go

@@ -105,11 +105,11 @@ type InitConfig struct {
 	// factor (off, otp, u2f) passed in from a configuration file.
 	AuthPreference services.AuthPreference
 
-	// ClusterConfig holds cluster level configuration.
-	ClusterConfig services.ClusterConfig
-
 	// AuditLog is used for emitting events to audit log
 	AuditLog events.IAuditLog
+
+	// ClusterConfig holds cluster level configuration.
+	ClusterConfig services.ClusterConfig
 }
 
 // Init instantiates and configures an instance of AuthServer

lib/auth/init_test.go

@@ -178,10 +178,6 @@ func (s *AuthInitSuite) TestAuthPreference(c *C) {
 	})
 	c.Assert(err, IsNil)
 
-	clusterConfig, err := services.NewClusterConfig(services.ClusterConfigSpecV3{
-		SessionRecording: services.RecordAtNode,
-	})
-	c.Assert(err, IsNil)
 	clusterName, err := services.NewClusterName(services.ClusterNameSpecV2{
 		ClusterName: "me.localhost",
 	})
@@ -197,7 +193,7 @@ func (s *AuthInitSuite) TestAuthPreference(c *C) {
 		NodeName:       "foo",
 		Backend:        bk,
 		Authority:      testauthority.New(),
-		ClusterConfig:  clusterConfig,
+		ClusterConfig:  services.DefaultClusterConfig(),
 		ClusterName:    clusterName,
 		StaticTokens:   staticTokens,
 		AuthPreference: ap,
@@ -230,8 +226,8 @@ func (s *AuthInitSuite) TestClusterID(c *C) {
 		NodeName:      "foo",
 		Backend:       bk,
 		Authority:     testauthority.New(),
-		ClusterName:   clusterName,
 		ClusterConfig: services.DefaultClusterConfig(),
+		ClusterName:   clusterName,
 	})
 	c.Assert(err, IsNil)
 
@@ -247,8 +243,8 @@ func (s *AuthInitSuite) TestClusterID(c *C) {
 		NodeName:      "foo",
 		Backend:       bk,
 		Authority:     testauthority.New(),
-		ClusterName:   clusterName,
 		ClusterConfig: services.DefaultClusterConfig(),
+		ClusterName:   clusterName,
 	})
 	c.Assert(err, IsNil)
 

lib/auth/native/native.go

@@ -208,6 +208,9 @@ func (n *nauth) GenerateUserCert(c services.UserCertParams) ([]byte, error) {
 	if c.PermitAgentForwarding {
 		cert.Permissions.Extensions[teleport.CertExtensionPermitAgentForwarding] = ""
 	}
+	if !c.PermitPortForwarding {
+		delete(cert.Permissions.Extensions, teleport.CertExtensionPermitPortForwarding)
+	}
 	if len(c.Roles) != 0 {
 		// if we are requesting a certificate with support for older versions of OpenSSH
 		// don't add roles to certificate extensions, due to a bug in <= OpenSSH 7.1

lib/auth/native/native_test.go

@@ -182,6 +182,7 @@ func (s *NativeSuite) TestUserCertCompatibility(c *C) {
 			Roles:                 []string{"foo"},
 			Compatibility:         tt.inCompatibility,
 			PermitAgentForwarding: true,
+			PermitPortForwarding:  true,
 		})
 		c.Assert(err, IsNil, comment)
 

lib/auth/oidc.go

@@ -218,7 +218,14 @@ func (a *AuthServer) ValidateOIDCAuthCallback(q url.Values) (*OIDCAuthResponse,
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		cert, err := a.GenerateUserCert(req.PublicKey, user, allowedLogins, certTTL, roles.CanForwardAgents(), req.Compatibility)
+		cert, err := a.GenerateUserCert(
+			req.PublicKey,
+			user,
+			allowedLogins,
+			certTTL,
+			roles.CanForwardAgents(),
+			roles.CanPortForward(),
+			req.Compatibility)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}

lib/auth/permissions.go

@@ -177,6 +177,7 @@ func GetCheckerForBuiltinRole(clusterConfig services.ClusterConfig, role telepor
 						services.NewRule(services.KindAuthServer, services.RO()),
 						services.NewRule(services.KindReverseTunnel, services.RO()),
 						services.NewRule(services.KindTunnelConnection, services.RO()),
+						services.NewRule(services.KindClusterConfig, services.RO()),
 					},
 				},
 			})

lib/auth/saml.go

@@ -340,7 +340,7 @@ func (a *AuthServer) ValidateSAMLResponse(samlResponse string) (*SAMLAuthRespons
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
-		cert, err := a.GenerateUserCert(request.PublicKey, user, allowedLogins, certTTL, roles.CanForwardAgents(), request.Compatibility)
+		cert, err := a.GenerateUserCert(request.PublicKey, user, allowedLogins, certTTL, roles.CanForwardAgents(), roles.CanPortForward(), request.Compatibility)
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}

lib/auth/test/suite.go

@@ -87,6 +87,7 @@ func (s *AuthSuite) GenerateUserCert(c *C) {
 		AllowedLogins:       []string{"centos", "root"},
 		TTL:                 time.Hour,
 		PermitAgentForwarding: true,
+		PermitPortForwarding:  true,
 	})
 	c.Assert(err, IsNil)
 
@@ -100,6 +101,7 @@ func (s *AuthSuite) GenerateUserCert(c *C) {
 		AllowedLogins:       []string{"root"},
 		TTL:                 -20,
 		PermitAgentForwarding: true,
+		PermitPortForwarding:  true,
 	})
 	c.Assert(err, NotNil)
 
@@ -109,7 +111,9 @@ func (s *AuthSuite) GenerateUserCert(c *C) {
 		Username:            "user",
 		AllowedLogins:       []string{"root"},
 		TTL:                 0,
-		PermitAgentForwarding: true})
+		PermitAgentForwarding: true,
+		PermitPortForwarding:  true,
+	})
 	c.Assert(err, NotNil)
 
 	_, err = s.A.GenerateUserCert(services.UserCertParams{
@@ -119,6 +123,7 @@ func (s *AuthSuite) GenerateUserCert(c *C) {
 		AllowedLogins:       []string{"root"},
 		TTL:                 time.Hour,
 		PermitAgentForwarding: true,
+		PermitPortForwarding:  true,
 	})
 	c.Assert(err, IsNil)
 
@@ -130,7 +135,8 @@ func (s *AuthSuite) GenerateUserCert(c *C) {
 		AllowedLogins:       []string{"root"},
 		TTL:                 time.Hour,
 		PermitAgentForwarding: true,
-		Roles: inRoles,
+		PermitPortForwarding:  true,
+		Roles:                 inRoles,
 	})
 	c.Assert(err, IsNil)
 	parsedKey, _, _, _, err := ssh.ParseAuthorizedKey(cert)

lib/auth/testauthority/testauthority.go

@@ -103,6 +103,9 @@ func (n *Keygen) GenerateUserCert(c services.UserCertParams) ([]byte, error) {
 	if c.PermitAgentForwarding {
 		cert.Permissions.Extensions[teleport.CertExtensionPermitAgentForwarding] = ""
 	}
+	if !c.PermitPortForwarding {
+		delete(cert.Permissions.Extensions, teleport.CertExtensionPermitPortForwarding)
+	}
 	if len(c.Roles) != 0 {
 		roles, err := services.MarshalCertRoles(c.Roles)
 		if err != nil {

lib/client/keyagent_test.go

@@ -271,6 +271,7 @@ func makeKey(username string, allowedLogins []string, ttl time.Duration) (*Key,
 		AllowedLogins:       allowedLogins,
 		TTL:                 ttl,
 		PermitAgentForwarding: true,
+		PermitPortForwarding:  true,
 	})
 	if err != nil {
 		return nil, err

lib/client/keystore_test.go

@@ -181,6 +181,7 @@ func (s *KeyStoreTestSuite) makeSignedKey(c *check.C, makeExpired bool) *Key {
 		AllowedLogins:       allowedLogins,
 		TTL:                 ttl,
 		PermitAgentForwarding: false,
+		PermitPortForwarding:  true,
 	})
 	c.Assert(err, check.IsNil)
 	return &Key{

lib/client/session.go

@@ -316,7 +316,7 @@ func (ns *NodeSession) updateTerminalSize(s *ssh.Session) {
 			}
 			// send the new window size to the server
 			_, err = s.SendRequest(
-				sshutils.WindowChangeReq, false,
+				sshutils.WindowChangeRequest, false,
 				ssh.Marshal(sshutils.WinChangeReqParams{
 					W: uint32(winSize.Width),
 					H: uint32(winSize.Height),

lib/config/configuration.go

@@ -406,12 +406,14 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
 		}
 	}
 
-	// read in and set session recording
-	clusterConfig, err := fc.Auth.SessionRecording.Parse()
+	// build cluster config from session recording and host key checking preferences
+	cfg.Auth.ClusterConfig, err = services.NewClusterConfig(services.ClusterConfigSpecV3{
+		SessionRecording:    fc.Auth.SessionRecording,
+		ProxyChecksHostKeys: fc.Auth.ProxyChecksHostKeys,
+	})
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	cfg.Auth.ClusterConfig = clusterConfig
 
 	// read in and set the license file path (not used in open-source version)
 	licenseFile := fc.Auth.LicenseFile