Mutual TLS Auth server and clients #1528
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
klizhentas
force-pushed
the
sasha/x509
branch
2 times, most recently
from
b573946
to
456f166
Compare
klizhentas
force-pushed
the
sasha/x509
branch
from
456f166
to
4926289
Compare
klizhentas
commented
Dec 26, 2017
| // per connections? E.g. what happens to session tickets. Benchmark this. | ||
| pool, err := t.AuthServer.ClientCertPool() | ||
| if err != nil { | ||
| log.Errorf("failed to retrieve client pool: %v", trace.DebugReport(err)) |
There was a problem hiding this comment.
make error message conformant
lib/auth/middleware.go
Outdated
| } | ||
| clientCert := peers[0] | ||
| if len(clientCert.Issuer.Organization) < 1 { | ||
| log.Warning("missing organization in issuer certificate %v", clientCert.Issuer) |
There was a problem hiding this comment.
log.Warningf("Missing")...
There was a problem hiding this comment.
remove this extra check
lib/auth/clt.go
Outdated
| @@ -102,6 +178,24 @@ func NewClient(addr string, dialer Dialer, params ...roundtrip.ClientParam) (*Cl | |||
| }, nil | |||
| } | |||
|
|
|||
| // GetDialer returns dialer that will connect to auth server API | |||
There was a problem hiding this comment.
Add DELETE IN note
lib/auth/methods.go
Outdated
| if a.Username == "" { | ||
| return trace.BadParameter("missing parameter 'username'") | ||
| } | ||
| if a.Pass == nil && a.U2F == nil && a.OTP == nil { |
There was a problem hiding this comment.
add web session here as well
lib/auth/methods.go
Outdated
| return nil, trace.Wrap(err) | ||
| } | ||
|
|
||
| if err := req.CheckAndSetDefaults(); err != nil { |
There was a problem hiding this comment.
remove second check
| // tryRemoteTLSClient tries creating TLS client and using it (the client may not be available | ||
| // due to older clusters), returns client if it is working properly | ||
| func (c *SessionContext) tryRemoteTLSClient(cluster reversetunnel.RemoteSite) (auth.ClientI, error) { | ||
| clt, err := c.newRemoteTLSClient(cluster) |
| // build a ssh connection to the remote auth server | ||
| config := &ssh.ClientConfig{ | ||
| User: principal, | ||
| Auth: []ssh.AuthMethod{authMethods}, | ||
| User: cert.ValidPrincipals[0], |
There was a problem hiding this comment.
check at least one
| return nil, trace.Wrap(err) | ||
| } | ||
| return session, nil | ||
| return s.proxyClient.AuthenticateWebUser(auth.AuthenticateUserRequest{ |
There was a problem hiding this comment.
add deprecation note to SignIn
lib/auth/register.go
Outdated
| if err != nil { | ||
| return trace.Wrap(err, "failed to parse certificate at %v", certPath) | ||
| } | ||
| log.Infof("Securely joining remote cluster %v.", cert.Subject.CommonName) |
lib/client/client.go
Outdated
| @@ -262,6 +275,56 @@ func (proxy *ProxyClient) isRecordingProxy() (bool, error) { | |||
| } | |||
| } | |||
|
|
|||
| // dialAuthServer returns auth server connection forwarded via proxy | |||
| func (proxy *ProxyClient) dialAuthServer(ctx context.Context, clusterName string) (net.Conn, error) { | |||
| log.Infof("[CLIENT] client=%v connecting to auth server on cluster ", proxy.clientAddr, clusterName) | |||
There was a problem hiding this comment.
remove square brackets
r0mant
approved these changes
Dec 27, 2017
lib/auth/apiserver.go
Outdated
| @@ -877,6 +923,26 @@ func (s *APIServer) registerNewAuthServer(auth ClientI, w http.ResponseWriter, r | |||
| return message("ok"), nil | |||
| } | |||
|
|
|||
| type generateServerKeysReq struct { | |||
| HostID string `json:"host_id"` | |||
There was a problem hiding this comment.
Godocs on exported fields are missing.
| @@ -1119,7 +1185,7 @@ func (s *APIServer) createUserWithToken(auth ClientI, w http.ResponseWriter, r * | |||
| webSession, err = auth.CreateUserWithOTP(req.Token, req.Password, req.OTPToken) | |||
| } | |||
| if err != nil { | |||
| log.Error(trace.DebugReport(err)) | |||
| log.Warningf("failed to create user: %v", err.Error()) | |||
There was a problem hiding this comment.
Do you need to log this? If yes, make it conformant to our style.
lib/auth/auth.go
Outdated
| // GenerateUserCert generates user certificate, it takes pkey as a signing | ||
| // certs is a pair of SSH and TLS certificates | ||
| type certs struct { | ||
| // sshis PEM encoded SSH certificate |
lib/auth/auth.go
Outdated
| return certs.ssh, certs.tls, nil | ||
| } | ||
|
|
||
| // generateUserCert generates user certificate, it takes pkey as a signing |
There was a problem hiding this comment.
Obsolete comment, as the method does not accept pkey.
lib/auth/auth.go
Outdated
| @@ -579,7 +724,7 @@ func (s *AuthServer) checkTokenTTL(token string) bool { | |||
| // If a token was generated with a TTL=0, it means it's a single-use token and it gets destroyed | |||
| // after a successful registration. | |||
| func (s *AuthServer) RegisterUsingToken(token, hostID string, nodeName string, role teleport.Role) (*PackedKeys, error) { | |||
| log.Infof("[AUTH] Node %q [%v] trying to join with role: %v", nodeName, hostID, role) | |||
| log.Infof("node %q [%v] trying to join with role: %v", nodeName, hostID, role) | |||
| storage := utils.NewFileAddrStorage( | ||
| filepath.Join(process.Config.DataDir, "authservers.json")) | ||
|
|
||
| authUser := identity.Cert.ValidPrincipals[0] |
There was a problem hiding this comment.
Is the ValidPrincipals length checked anywhere?
There was a problem hiding this comment.
yes auth/init.go:696
lib/services/local/presence.go
Outdated
| err := s.DeleteBucket([]string{}, tunnelConnectionsPrefix) | ||
| log.Debugf("Presence delete all tunnel connections: %v", err) |
There was a problem hiding this comment.
Log entries in this function look like debug leftovers.
lib/services/local/presence.go
Outdated
| @@ -473,10 +473,15 @@ func (s *PresenceService) DeleteTunnelConnections(clusterName string) error { | |||
|
|
|||
| // DeleteAllTunnelConnections deletes all tunnel connections | |||
| func (s *PresenceService) DeleteAllTunnelConnections() error { | |||
| conns, _ := s.GetAllTunnelConnections() | |||
lib/services/local/presence.go
Outdated
| if trace.IsNotFound(err) { | ||
| return nil | ||
| } | ||
| conns, _ = s.GetAllTunnelConnections() |
There was a problem hiding this comment.
Error is ignored. This actually, too, looks like a debug leftover. Getting tunnels in "delete" method?
lib/state/cachingaccesspoint.go
Outdated
| if err := cs.trust.UpsertCertAuthority(ca); err != nil { | ||
| return nil, trace.Wrap(err) | ||
| } | ||
| return ca, err |
russjones
approved these changes
Dec 27, 2017
|
closing it in favor of another branch with merged conflicts |
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR replaces SSH based Auth server authentication with TLS based mutual authentication. This PR is a first in a series of follow ups but is self-sufficient.
Included in the PR:
Not included in the PR