Open
Description
openedon Mar 1, 2022
Description
Creating legacy certificates with tsh login --compat=oldssh results in an error. The certificates are generated and are in ~/.tsh, but the tsh profile is corrupted and any tsh commands will fail with those certificates.
It looks like this regression was introduced in v8.0.0.
Debug Logs
Client logs:
> tsh login -d --user=dev --proxy=proxy.example.com --insecure --compat=oldssh
[CLIENT] DEBU open /home/bjoerger/.tsh/proxy.example.com.yaml: no such file or directory client/api.go:768
[TSH] DEBU Web proxy port was not set. Attempting to detect port number to use. tsh/tsh.go:2141
[TSH] DEBU Resolving default proxy port (insecure: true) tsh/resolve_default_addr.go:121
[TSH] DEBU Trying proxy.example.com:3080... tsh/resolve_default_addr.go:109
[TSH] DEBU Address proxy.example.com:3080 succeeded. Selected as canonical proxy address tsh/resolve_default_addr.go:195
[TSH] DEBU Waiting for all in-flight racers to finish tsh/resolve_default_addr.go:144
[CLIENT] INFO no host login given. defaulting to bjoerger client/api.go:1119
[CLIENT] INFO [KEY AGENT] Connected to the system agent: "/run/user/1000/keyring/ssh" client/api.go:3021
[CLIENT] DEBU attempting to use loopback pool for local proxy addr: proxy.example.com:3080 client/api.go:2985
[CLIENT] DEBU could not open any path in: /var/lib/teleport/webproxy_cert.pem client/api.go:2991
DEBU Attempting GET proxy.example.com:3080/webapi/ping webclient/webclient.go:62
Enter password for Teleport user dev:
[CLIENT] DEBU attempting to use loopback pool for local proxy addr: proxy.example.com:3080 client/api.go:2985
[CLIENT] DEBU could not open any path in: /var/lib/teleport/webproxy_cert.pem client/api.go:2991
[CLIENT] DEBU HTTPS client init(proxyAddr=proxy.example.com:3080, insecure=true) client/weblogin.go:217
WARNING: You are using insecure connection to SSH proxy https://proxy.example.com:3080
[KEYAGENT] DEBU Adding CA key for example.com client/keyagent.go:313
[KEYSTORE] DEBU Adding known host example.com with proxy proxy.example.com and key: SHA256:NeazrTuHlut0A3zir7yD5GcJdTwd1s6dTXRF71PvHko client/keystore.go:551
[KEYSTORE] DEBU Returning Teleport TLS certificate "/home/bjoerger/.tsh/keys/proxy.example.com/dev-x509.pem" valid until "2022-03-01 09:14:12 +0000 UTC". client/keystore.go:285
[KEYAGENT] DEBU Deleting obsolete stored key with index {ProxyHost:proxy.example.com Username:dev ClusterName:example.com}. client/keyagent.go:514
[KEYAGENT] INFO Loading SSH key for user "dev" and cluster "example.com". client/keyagent.go:191
[CLIENT] INFO Connecting proxy=proxy.example.com:3023 login="bjoerger" client/api.go:2214
[KEYSTORE] DEBU Returning Teleport TLS certificate "/home/bjoerger/.tsh/keys/proxy.example.com/dev-x509.pem" valid until "2022-03-02 01:39:37 +0000 UTC". client/keystore.go:285
[KEYAGENT] DEBU "Checking key: ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgNCsvAAz76JXaxG0BOwJbgbvaLID51IeUBdJXJeqX1yUAAAADAQABAAABAQDRzDU29j/AmYmkNdUevRIeoWRFX2CIuY/B1GUu2LiIsvpB2dXP3hwObdyAH1hOw06GTBmXz0I8FIAjkI5+Dpk6frP80fACykp1FWaSFXIf4QLgcBsPITUcSMhX+YjEJWUn9lUdYZxAwGIfDcS+dEKq+ZJHP1MDFG6vsKtbPPYr/iobwG2Lc5WvfAo38ivRXNO3//d7icyPo4ZhoGv9kTmyVoq44xUmD6WD50KEZsthLNKFRUSNc529UYRjS5f1zqZoPWTsdGe8+jb96xMgOgftCM3i0Lxf52NP4cL2x02YhPLkyjIF6bXzCbeUgmF5BiYw1CGohxny/Y4VyrmO3K5HAAAAAAAAAAAAAAACAAAAAAAAAOIAAAAwZjkzNjEzZGMtYjMxYi00NDMxLWEyZTEtYTU3NzUyNTM3NzgwLmV4YW1wbGUuY29tAAAAJGY5MzYxM2RjLWIzMWItNDQzMS1hMmUxLWE1Nzc1MjUzNzc4MAAAABRzZXJ2ZXIwMS5leGFtcGxlLmNvbQAAAAhzZXJ2ZXIwMQAAAAlsb2NhbGhvc3QAAAAJMTI3LjAuMC4xAAAAAzo6MQAAABFwcm94eS5leGFtcGxlLmNvbQAAAChyZW1vdGUua3ViZS5wcm94eS50ZWxlcG9ydC5jbHVzdGVyLmxvY2FsAAAAAGIdcnL//////////wAAAAAAAABLAAAAFHgtdGVsZXBvcnQtYXV0aG9yaXR5AAAADwAAAAtleGFtcGxlLmNvbQAAAA94LXRlbGVwb3J0LXJvbGUAAAAJAAAABVByb3h5AAAAAAAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBALC3kyTcjlfVxyiRKDcyAIxp+rIRj/nEfSv3ApBlno2j3O7DWdYUHhHyJoHbV+wBIYQHKI7OvMhQ8wIXaZeggHEheMr82ne39zGiZq5DjaLPTUd4B4YSiMVvxlfOh7PGD5l3d5ZoN1pZwBk7QT6aQhXmYewspyGpVRYTbfVgYUuCHXt67qqN/WzgNnscmp03wiHG64qelUjj3VkzguJUc3tC/hATy+hz/F8/dS/4HTPHQlbqE9jzK70+rOFRtU2kLUp7lQfPYomwbZC27v1EfPHb6GaugV/1pjwT+ZydMKtdbUXbqx10YJLvYro0zBzvb5+nMUSERw0RqgBUahud9pEAAAEUAAAADHJzYS1zaGEyLTUxMgAAAQA8wQLjpTqPMDGME7PFNTC5H0x0a6pgm70mxTl2V5MY/HbzxssuktZZcQRize5yFll/DA4KH2kCL0cj846IIBE48YWyRyzKTYzBe4OYOahx+7ttz0g0fdsmcPfqqkiMZ0/Xlw69sentyxEMJ3I4DevGuIQvXQz+vNhx/r3gIxN5B3GQoYgRTbQpo45HaV6abOQlyam/4QCD0woCyknFzZtjxsoY2eIoedQEh6w3/UKJWAUen3BAx7z9lFh5jl1F/LXcR105pHhUiDHp3ryzHLaPGSSJYBrnQmSR1RiTNMvaL6yKJrcOG5UV7kGb/WaGeB6qB01ir6a1GBnOnhMnCNv6\n." client/keyagent.go:365
[KEYAGENT] DEBU Validated host proxy.example.com:3023. client/keyagent.go:371
[CLIENT] INFO Successful auth with proxy proxy.example.com:3023. client/api.go:2221
[KEYSTORE] DEBU Returning Teleport TLS certificate "/home/bjoerger/.tsh/keys/proxy.example.com/dev-x509.pem" valid until "2022-03-02 01:39:37 +0000 UTC". client/keystore.go:285
[CLIENT] DEBU Client is connecting to auth server on cluster "example.com". client/client.go:896
[CLIENT] DEBU Client is connecting to auth server on cluster "example.com". client/client.go:896
ERROR REPORT:
Original Error: *trace.ConnectionProblemError Get "https://teleport.cluster.local/v2/authorities/host?load_keys=false": ssh: rejected: administratively prohibited (no roles found)
Stack Trace:
/home/bjoerger/gravitational/teleport/lib/httplib/httplib.go:133 github.com/gravitational/teleport/lib/httplib.ConvertResponse
/home/bjoerger/gravitational/teleport/lib/auth/clt.go:288 github.com/gravitational/teleport/lib/auth.(*Client).Get
/home/bjoerger/gravitational/teleport/lib/auth/clt.go:469 github.com/gravitational/teleport/lib/auth.(*Client).GetCertAuthorities
/home/bjoerger/gravitational/teleport/lib/client/api.go:2628 github.com/gravitational/teleport/lib/client.(*TeleportClient).GetTrustedCA
/home/bjoerger/gravitational/teleport/lib/client/api.go:2638 github.com/gravitational/teleport/lib/client.(*TeleportClient).UpdateTrustedCA
/home/bjoerger/gravitational/teleport/lib/client/api.go:2516 github.com/gravitational/teleport/lib/client.(*TeleportClient).ActivateKey
/home/bjoerger/gravitational/teleport/tool/tsh/tsh.go:958 main.onLogin
/home/bjoerger/gravitational/teleport/tool/tsh/tsh.go:666 main.Run
/home/bjoerger/gravitational/teleport/tool/tsh/tsh.go:310 main.main
/home/bjoerger/.tools/go/src/runtime/proc.go:255 runtime.main
/home/bjoerger/.tools/go/src/runtime/asm_amd64.s:1581 runtime.goexit
User Message: Get "https://teleport.cluster.local/v2/authorities/host?load_keys=false": ssh: rejected: administratively prohibited (no roles found)
Server logs:
2022-03-01T09:41:04-08:00 DEBU [AUTH] ClientCertPool -> cert(example.com issued by example.com:44217672007276217920659470033703595453) auth/middleware.go:609
2022-03-01T09:41:04-08:00 DEBU [AUTH] ClientCertPool -> cert(example.com issued by example.com:182134474741557667816121129062424986944) auth/middleware.go:609
2022-03-01T09:41:04-08:00 DEBU [AUTH] ClientCertPool -> cert(example.com issued by example.com:44217672007276217920659470033703595453) auth/middleware.go:609
2022-03-01T09:41:04-08:00 DEBU [AUTH] ClientCertPool -> cert(example.com issued by example.com:182134474741557667816121129062424986944) auth/middleware.go:609
2022-03-01T09:41:06-08:00 DEBU [AUTH] ClientCertPool -> cert(example.com issued by example.com:44217672007276217920659470033703595453) auth/middleware.go:609
2022-03-01T09:41:06-08:00 DEBU [AUTH] ClientCertPool -> cert(example.com issued by example.com:182134474741557667816121129062424986944) auth/middleware.go:609
2022-03-01T09:41:06-08:00 INFO [AUDIT] user.login cluster_name:example.com code:T1000I ei:0 event:user.login method:local success:true time:2022-03-01T17:41:06.908Z uid:b8ac5fa7-2e49-4154-a759-e8d56bedc2ee user:dev events/emitter.go:325
2022-03-01T09:41:06-08:00 DEBU [KEYGEN] generated user key for [bjoerger root pam dev] with expiry on (1646185266) 2022-03-02 01:41:06.908732043 +0000 UTC native/native.go:256
2022-03-01T09:41:06-08:00 DEBU [AUTH] Failed setting default kubernetes cluster for user login (user did not provide a cluster); leaving KubernetesCluster extension in the TLS certificate empty auth/auth.go:1086
2022-03-01T09:41:06-08:00 INFO [CA] Generating TLS certificate {0x6d31de0 0xc0013923f0 1.3.9999.1.7=#130b6578616d706c652e636f6d,1.3.9999.1.2=#130e73797374656d3a6d617374657273,CN=dev,O=dev,POSTALCODE=null,STREET=example.com,L=bjoerger+L=root+L=pam+L=dev,ST=system:masters 2022-03-02 01:41:06.910390483 +0000 UTC [] [] 5 []}. common_name:dev dns_names:[] locality:[bjoerger root pam dev] not_after:2022-03-02 01:41:06.910390483 +0000 UTC org:[dev] org_unit:[] tlsca/ca.go:796
2022-03-01T09:41:06-08:00 INFO [AUDIT] cert.create cert_type:user cluster_name:example.com code:TC000I ei:0 event:cert.create identity:map[expires:2022-03-02T01:41:06.910390483Z kubernetes_groups:[system:masters] logins:[bjoerger root pam dev] roles:[dev] route_to_cluster:example.com teleport_cluster:example.com user:dev] time:2022-03-01T17:41:06.912Z uid:15e234a7-49eb-4474-adbd-360d6f4cd5a6 events/emitter.go:325
2022-03-01T09:41:06-08:00 DEBU [PROXY] conn(127.0.0.1:49008->127.0.1.1:3023, user=bjoerger) auth attempt fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:rAQ0km3O1EWesEhKSoh8Wo4aUPIcSx3HRL0wipGI9cg local:127.0.1.1:3023 remote:127.0.0.1:49008 user:bjoerger srv/authhandlers.go:229
2022-03-01T09:41:06-08:00 DEBU [PROXY] conn(127.0.0.1:49008->127.0.1.1:3023, user=bjoerger) auth attempt with key ssh-rsa-cert-v01@openssh.com SHA256:rAQ0km3O1EWesEhKSoh8Wo4aUPIcSx3HRL0wipGI9cg, &ssh.Certificate{Nonce:[]uint8{0xb8, 0xb, 0x39, 0x70, 0xe1, 0x65, 0x3f, 0xd1, 0x57, 0xb9, 0xef, 0x43, 0x16, 0x74, 0x30, 0x9f, 0x61, 0xae, 0x53, 0x5c, 0xb8, 0xcd, 0x93, 0x8d, 0x47, 0x5b, 0xf2, 0xde, 0x51, 0xf8, 0xe4, 0x23}, Key:(*ssh.rsaPublicKey)(0xc000c26000), Serial:0x0, CertType:0x1, KeyId:"dev", ValidPrincipals:[]string{"bjoerger", "root", "pam", "dev"}, ValidAfter:0x621e5a76, ValidBefore:0x621ecb32, Permissions:ssh.Permissions{CriticalOptions:map[string]string{}, Extensions:map[string]string{"permit-X11-forwarding":"", "permit-agent-forwarding":"", "permit-port-forwarding":"", "permit-pty":""}}, Reserved:[]uint8{}, SignatureKey:(*ssh.rsaPublicKey)(0xc000c26040), Signature:(*ssh.Signature)(0xc000d58780)} fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:rAQ0km3O1EWesEhKSoh8Wo4aUPIcSx3HRL0wipGI9cg local:127.0.1.1:3023 remote:127.0.0.1:49008 user:bjoerger srv/authhandlers.go:232
2022-03-01T09:41:06-08:00 DEBU [PROXY] Successfully authenticated fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:rAQ0km3O1EWesEhKSoh8Wo4aUPIcSx3HRL0wipGI9cg local:127.0.1.1:3023 remote:127.0.0.1:49008 user:bjoerger srv/authhandlers.go:292
2022-03-01T09:41:06-08:00 DEBU [SSH:PROXY] Incoming connection 127.0.0.1:49008 -> 127.0.1.1:3023 version: SSH-2.0-Go, certtype: "user" sshutils/server.go:466
2022-03-01T09:41:06-08:00 WARN [SSH:PROXY] Dropping inbound ssh connection due to error: no roles found sshutils/server.go:493
Server Details
- Teleport version (run
teleport version): master - 10.0.0-dev - 05c36d8 - Server OS (e.g. from
/etc/os-release): Ubuntu 20.04 - Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware): Local
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment