Forwarding Server #1482
Merged
Forwarding Server #1482
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
russjones
commented
Nov 29, 2017
lib/events/api.go
Outdated
| @@ -86,6 +86,11 @@ const ( | |||
| ExecEventCode = "exitCode" | |||
| ExecEventError = "exitError" | |||
|
|
|||
| // SubsystemEvent is the result of the execution of a subsystem. | |||
| SubsystemEvent = "subsystem" | |||
| SubsystemName = "subsystem.name" | |||
|
|
||
| return nil | ||
| } | ||
|
|
There was a problem hiding this comment.
Debug log here saying that we are bypassing security checks.
There was a problem hiding this comment.
How does this work when you can add a user CA, but not a host CA to a host?
lib/srv/authhandlers.go
Outdated
| if err != nil { | ||
| return trace.Wrap(err) | ||
| } | ||
|
|
||
| // if it's a forwarding node checking permissions, then we don't do any RBAC |
There was a problem hiding this comment.
- Instead create
checkPermissionToLoginRBACas well. - Or remove it because the below RBAC check is against the proxy itself.
lib/srv/ctx.go
Outdated
| func (c *ServerContext) ProxyPublicAddress() string { | ||
| proxyHost := "<proxyhost>:3080" | ||
|
|
||
| if c.srv != nil { |
lib/srv/ctx.go
Outdated
| @@ -325,7 +363,8 @@ func closeAll(closers ...io.Closer) error { | |||
| if cl == nil { | |||
| continue | |||
| } | |||
| if e := cl.Close(); e != nil { | |||
|
|
|||
| if e := cl.Close(); err != nil { | |||
There was a problem hiding this comment.
Revert and use trace.Aggregate.
lib/srv/forward/subsystem.go
Outdated
| serverContext: serverContext, | ||
| subsytemName: subsytemName, | ||
| ctx: ctx, | ||
| errorCh: make(chan error), |
There was a problem hiding this comment.
Should have size 3.
lib/srv/regular/sshserver.go
Outdated
| // recording proxy mode. | ||
| err := s.handleAgentForwardProxy(req, ctx) | ||
| if err != nil { | ||
| log.Info(err) |
lib/srv/regular/sshserver.go
Outdated
| } | ||
| err = s.reg.NotifyWinChange(*params, ctx) | ||
|
|
||
| // check if the users rbac role allows agent forwarding |
There was a problem hiding this comment.
check if the user's RBAC role allows agent forwarding
lib/srv/term.go
Outdated
| if t.termType == "" { | ||
| t.termType = defaultTerm | ||
| } | ||
| if err := t.session.RequestPty(t.termType, t.params.W, t.params.H, ssh.TerminalModes{}); err != nil { |
There was a problem hiding this comment.
See if we get ssh.TerminalModes in the request.
lib/srv/term.go
Outdated
| Wpx: uint32(w * 8), | ||
| Hpx: uint32(h * 8), | ||
| } | ||
| _, err := t.session.SendRequest("window-change", false, ssh.Marshal(&req)) |
klizhentas
reviewed
Nov 30, 2017
lib/srv/forward/sshserver.go
Outdated
| } | ||
|
|
||
| // if we miss 3 in a row the connections dead, call cancel and cleanup | ||
| missed = missed + 1 |
russjones
force-pushed
the
rjones/fwd-srv
branch
from
d8f0ab4
to
5f45532
Compare
|
@r0mant Can you take a look at |
russjones
commented
Dec 2, 2017
lib/srv/authhandlers.go
Outdated
| // client) to see if this certificate can be allowed to login as user:login | ||
| // pair to requested server. | ||
| func (h *AuthHandlers) checkPermissionToLogin(cert *ssh.Certificate, clusterName string, teleportUser, osUser string) error { | ||
| h.Debugf("CheckPermsissionToLogin(%v, %v)", teleportUser, osUser) | ||
| func (h *AuthHandlers) canLoginOpenSSH(cert *ssh.Certificate, clusterName string, teleportUser, osUser string) error { |
There was a problem hiding this comment.
canLoginWithoutRBAC
lib/srv/authhandlers.go
Outdated
| // canLoginTeleport checks the given certificate (supplied by a connected | ||
| // client) to see if this certificate can be allowed to login as user:login | ||
| // pair to requested server and if RBAC rules allow login. | ||
| func (h *AuthHandlers) canLoginTeleport(cert *ssh.Certificate, clusterName string, teleportUser, osUser string) error { |
lib/srv/forward/sshserver.go
Outdated
| } | ||
| ctx.Debugf("Opening direct-tcpip channel from %v to %v", srcAddr, dstAddr) | ||
|
|
||
| conn, err := s.remoteClient.DialTCP("tcp", srcAddr, dstAddr) |
lib/srv/forward/sshserver.go
Outdated
| // client. A manual timeout is needed here because SendRequest will wait for a | ||
| // response forever. | ||
| func (s *Server) sendKeepAliveWithTimeout(timeout time.Duration) bool { | ||
| errorCh := make(chan error) |
There was a problem hiding this comment.
errorCh := make(chan error, 1)
lib/auth/init.go
Outdated
| // AuditLog is used for emitting events to audit log | ||
| AuditLog events.IAuditLog | ||
|
|
||
| // SessionRecording determines where the session is recorded: node, proxy, or off. | ||
| SessionRecording string |
There was a problem hiding this comment.
Move to lib/config/configuration.go
russjones
commented
Dec 2, 2017
lib/services/clusterconfig.go
Outdated
| const ( | ||
| // HostKeyCheckOn is the default. The proxy will check the host key of the | ||
| // target node it connects to. | ||
| HostKeyCheckOn HostKeyCheckType = "on" |
lib/services/clusterconfig.go
Outdated
| RecordAtProxy RecordingType = "proxy" | ||
|
|
||
| // RecordOff is used to disable session recording completely. | ||
| RecordOff RecordingType = "off" | ||
| ) | ||
|
|
||
| // HostKeyCheckType holds how the recording proxy will check host keys. | ||
| type HostKeyCheckType string |
lib/services/clusterconfig.go
Outdated
| @@ -218,6 +264,9 @@ const ClusterConfigSpecSchemaTemplate = `{ | |||
| "session_recording": { | |||
| "type": "string" | |||
| }, | |||
| "proxy_checks_host_keys": { | |||
| "type": "string" | |||
| }, | |||
lib/srv/authhandlers.go
Outdated
| // CheckPortForward checks if the certificate was signed by a valid certificate | ||
| // authority, fetches the appropriate roles, and checks if port forwarding is | ||
| // allowed. | ||
| func (h *AuthHandlers) CheckPortForward(ctx *ServerContext) error { |
There was a problem hiding this comment.
Get CA set and RoleSet and pass identity earlier.
lib/srv/authhandlers.go
Outdated
| // a valid public key | ||
| // if we are strictly checking host keys then reject this request right away | ||
| if clusterConfig.GetProxyChecksHostKeys() == services.HostKeyCheckOn { | ||
| return trace.AccessDenied("certificate not presented") |
There was a problem hiding this comment.
proxy expects certificate signed by certificate authority, got public key
lib/srv/authhandlers.go
Outdated
|
|
||
| // if we are not stricting rejecting host keys, we need to log that we | ||
| // trusted a insecure key and then return nil | ||
| log.Infof("Strict host key checking disabled, allowing login without checking host key.") |
There was a problem hiding this comment.
Insecure warning prefix.
lib/srv/forward/sshserver.go
Outdated
| // check if the role allows port forwarding for this user | ||
| err := s.authHandlers.CheckPortForward(ctx) | ||
| if err != nil { | ||
| s.log.Infof(err.Error()) |
lib/srv/regular/sshserver.go
Outdated
| // check if the role allows port forwarding for this user | ||
| err := s.authHandlers.CheckPortForward(ctx) | ||
| if err != nil { | ||
| log.Info(err.Error()) |
russjones
commented
Dec 5, 2017
lib/srv/authhandlers.go
Outdated
| events.LocalAddr: ctx.Conn.LocalAddr().String(), | ||
| events.RemoteAddr: ctx.Conn.RemoteAddr().String(), | ||
| }) | ||
| h.Warnf("Port forwarding request denied: %v", systemErrorMessage) |
russjones
force-pushed
the
rjones/fwd-srv
branch
from
99240ee
to
f0db0a0
Compare
russjones
force-pushed
the
rjones/fwd-srv
branch
from
f0db0a0
to
7018852
Compare
klizhentas
approved these changes
Dec 5, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose
To support recording sessions with OpenSSH nodes Teleport needs to create a in-memory SSH server in the proxy that forwards connections to a remote host. This PR creates this server but does not use it yet.
Implementation
lib/srv/authhandlers.go.lib/srv/forward/sshserver.go.Related Issues
Fixes #1481
Fixes #1486
Fixes #1487