Skip to content

tsh ssh --port directive is ignored when Teleport is also running on the same host #12485

New issue
New issue
Open
Open
tsh ssh --port directive is ignored when Teleport is also running on the same host#12485

Description

@webvictim

webvictim
openedon May 6, 2022

Expected behavior:

If you have sshd configured properly as per https://goteleport.com/docs/server-access/guides/openssh/#configure-an-openssh-server-to-join-a-teleport-cluster with this config in /etc/ssh/sshd_config:

# present teleport-signed host key/certificate
HostKey /etc/ssh/teleport.key
HostCertificate /etc/ssh/teleport.key-cert.pub

# trust teleport-issued user certificates
TrustedUserCAKeys /etc/ssh/teleport_user_ca.pub

Where the principals on the host certificate were generated with this command: sudo tctl auth sign --format=openssh --host=ip-172-31-34-128,ip-172-31-34-128.gus.teleportdemo.com,ip-172-31-34-128.us-east-2.compute.internal,172.31.34.128,ec2-3-144-140-8.us-east-2.compute.amazonaws.com,3.144.140.8 --out teleport.key

It's expected that you can run a command like tsh --debug ssh -p 22 ec2-user@ip-172-31-34-128.us-east-2.compute.internal and have tsh connect to sshd (port 22) on that hostname via the Teleport proxy.

Current behavior:

This does not work when if a Teleport agent process is also running on the host:

~ » tsh ls 
Node Name                                   Address        Labels
------------------------------------------- -------------- -------------------------------------------------------------------------------------------------------
ip-172-31-34-128.us-east-2.compute.internal ⟵ Tunnel       enhanced_recording=true,env=aws,mfa_required=true

Running this command will just result in you being connected to the host over its reverse tunnel rather than on port 22.

Logs:

~ » tsh --debug ssh -p 22 ec2-user@ip-172-31-34-128.us-east-2.compute.internal
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.l3NvTFCxd4/Listeners" client/api.go:3113
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [KEYSTORE]  Reading certificates from path "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-ssh/purple-cert.pub". client/keystore.go:330
INFO [KEYAGENT]  Loading SSH key for user "gus@goteleport.com" and cluster "purple". client/keyagent.go:191
INFO [CLIENT]    Connecting to proxy=gus.teleportdemo.com:3023 login="ubuntu" client/api.go:2322
DEBU             No valid environment variables found. client/proxy.go:116
DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:268
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgIS/LeZT2wnKp5zMWTN0N9BHUAlEAX3BGUeUUkZ5XVwIAAAADAQABAAABAQClW1daTJJk6cIhMY1HLoojBz32BDPy8KbPgdwWKfMI6KyHrirCwmFmgmcBsb4jcWuLqyGYLQ1ywNMAbEa8qfoLe8qYa56uhrKqRIQz4++X4qyFKceCzUWblbs5qXspaW0PliEtPE4ggzAW55WQusoKDOo22ZTTXXNmCQ0gFS0HfBmenjAawtX3pcdBWYj5sNo2zestla2oWQRCM26j81xdfEeHXLxDF1iVtKQJRTBGyrEwk+gZM6wDIkt8C99hxStUfZbK1TKmqzasiYZ0ipnql2PFE+auz6cckKdTvbkwyAUe9K5A1rXpJHj+UV1bquFpD17SkM2nNPeD9wclwwWlAAAAAAAAAAAAAAACAAAAAAAAANAAAAArMWM0Y2YyODctYjhlYi00M2FkLWE0OWEtZDEwMmVmZmYxZDdlLnB1cnBsZQAAACQxYzRjZjI4Ny1iOGViLTQzYWQtYTQ5YS1kMTAyZWZmZjFkN2UAAAAJbG9jYWxob3N0AAAACTEyNy4wLjAuMQAAAAM6OjEAAAAQaXAtMTcyLTMxLTMwLTE0MAAAABRndXMudGVsZXBvcnRkZW1vLmNvbQAAAChyZW1vdGUua3ViZS5wcm94eS50ZWxlcG9ydC5jbHVzdGVyLmxvY2FsAAAAAGH0Lvv//////////wAAAAAAAABGAAAAFHgtdGVsZXBvcnQtYXV0aG9yaXR5AAAACgAAAAZwdXJwbGUAAAAPeC10ZWxlcG9ydC1yb2xlAAAACQAAAAVQcm94eQAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDe4Lc8HWcEbIvk8enrZIbo0Lv70uE8rRZskM1S/2YHkzIcNveUACquSDMSBQp5wgLiTvtLvoi80TbRaGGJVLNttuaFfELP7KsOM8JCazGsKYywnfEINDEuylsQZIRdxpXmGGuh4BtFw8JmbEGcgUXX8jfUITPeyWKScetp7BFGZ5OAiCvoc/iO2+PwXjNcFo/hXO3HY6eRWxuHvgu+4HOmalEVaocnug1aRZww8sVSJP4A76aTuwf+NrYMGviP8FKRxw7eOobWmBE/uiRxI2+2AWUFrkm6B4M5CmI+IHAumXQEFz1zHxdRZQ8f/m+jCcLggcQVXCDiVarugqg6aDTnAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAT+TdbAs+gaEViSENC+b034yy8SDQkbvExJS2VhOsQ1IVLPo8hqHicsLSVkC0MPnhqZm3/CfLZeZQYAE/2rFk129pdId+xKYqzFR3oxmK9fee+resmDWNt1DRR7Keh/ALxhzLnq3JLwol5lLWUcHWVZ4lH3BkGp0L1LBozq7KmBe1MiyndkNxRbNHhK7UBB2JzR2I7IFr9wrAik95gX7vsaql3Ajy2Yy6BkDNae4ZIk239BODTNItkPQSeVFZuirsPNEnbYTvfum35N1vSMYK/QjBDviiT2qU0RrLj3jgbcxSZ2piMYw/cK23CI7yKK/jt11ub5VnRVtwEadshPmQWQ==\n." client/keyagent.go:365
DEBU [KEYAGENT]  Validated host gus.teleportdemo.com:3023. client/keyagent.go:371
INFO [CLIENT]    Successful auth with proxy gus.teleportdemo.com:3023. client/api.go:2327
DEBU [CLIENT]    Found clusters: [{"name":"purple","lastconnected":"2022-05-06T14:01:18.920104215Z","status":"online"},{"name":"orange.teleportdemo.com","lastconnected":"2022-05-06T13:57:27.523758979Z","status":"online"}] client/client.go:127
INFO [CLIENT]    Client= connecting to node=ip-172-31-34-128.us-east-2.compute.internal on cluster purple client/client.go:1074
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [KEYSTORE]  Reading certificates from path "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-ssh/purple-cert.pub". client/keystore.go:330
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [CLIENT]    Client  is connecting to auth server on cluster "purple". client/client.go:969
DEBU [CLIENT]    MFA not required for access. client/client.go:377
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg3fUF2zCGZciiCHShNNSbDb/+vDWK/4VEGdBIORRvuPkAAAADAQABAAABAQDK6ulvGrEph8qG2Ub24YiFyc1oZXujiMr15rG0/yy59hgUb2TgwKAIV3ZrgUNnDOtcc113MO2XK4pg4iyz21YihyT8s9xsODy7Tj9YX6glLjvPQ1GB3G5vpLDILWAg4jLUKb8C+8ppvKEo+aKnpoA6dO5KKxznnm82uz2X2yo0zuQt12lZlbyxk0VTdffNZAQfccz3opDVAx3+Krv421OOCnwkmjd6sosVqpPJUJsmwTxwuEm43AtrI9F1pR6gDHniXak1bh5FKHoVjv9RNH42vnf2JBP9GOyF/pr6R39BrqIWfBR9as4QnCKFne1BO/1fVhRqUpdGnXayOrz7tKVFAAAAAAAAAAAAAAACAAAAAAAAAN0AAAArNjUzYWMyZTktNTllOC00NDJjLTg5MjYtNmM4MzQwMjljNmZiLnB1cnBsZQAAACQ2NTNhYzJlOS01OWU4LTQ0MmMtODkyNi02YzgzNDAyOWM2ZmIAAAAyaXAtMTcyLTMxLTM0LTEyOC51cy1lYXN0LTIuY29tcHV0ZS5pbnRlcm5hbC5wdXJwbGUAAAAraXAtMTcyLTMxLTM0LTEyOC51cy1lYXN0LTIuY29tcHV0ZS5pbnRlcm5hbAAAAAlsb2NhbGhvc3QAAAAJMTI3LjAuMC4xAAAAAzo6MQAAAABiRvse//////////8AAAAAAAAARQAAABR4LXRlbGVwb3J0LWF1dGhvcml0eQAAAAoAAAAGcHVycGxlAAAAD3gtdGVsZXBvcnQtcm9sZQAAAAgAAAAETm9kZQAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDe4Lc8HWcEbIvk8enrZIbo0Lv70uE8rRZskM1S/2YHkzIcNveUACquSDMSBQp5wgLiTvtLvoi80TbRaGGJVLNttuaFfELP7KsOM8JCazGsKYywnfEINDEuylsQZIRdxpXmGGuh4BtFw8JmbEGcgUXX8jfUITPeyWKScetp7BFGZ5OAiCvoc/iO2+PwXjNcFo/hXO3HY6eRWxuHvgu+4HOmalEVaocnug1aRZww8sVSJP4A76aTuwf+NrYMGviP8FKRxw7eOobWmBE/uiRxI2+2AWUFrkm6B4M5CmI+IHAumXQEFz1zHxdRZQ8f/m+jCcLggcQVXCDiVarugqg6aDTnAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAtP9VTQv23/ILlhoi6iOD8wJLi3Q6Ab+P4/KQyVE2ABkctv+vFyzfEjSuaW/JpqF/wQ7fO29NmZVycj2zDhlmwOpBclNYy3Nkwk9MjInqVg7+rxeWdAHOQHLSKjsTyhrzl+c+kSTrDd8a0u9JgqaOfNchDjYQYGJv7q3R4WYiaa3OppSNG56OnxCIBS1j8SWu877WE6l2PJF7S6hWjph5kIjPiKXyAjGGfCj6Zj7blij57ycd2H67AGH9iBbO6QWGtLWRtYxtRR9C1dyWVRrT5Jf4fWDFcDQH48qBcqHKt/d43Y02KWA8XG4wwSQ4B1mFuG8WLzzLl6DMuuri0QYHww==\n." client/keyagent.go:365
DEBU [KEYAGENT]  Validated host ip-172-31-34-128.us-east-2.compute.internal:22@default@purple. client/keyagent.go:371
DEBU [CLIENT]    Found clusters: [{"name":"purple","lastconnected":"2022-05-06T14:01:19.650551459Z","status":"online"},{"name":"orange.teleportdemo.com","lastconnected":"2022-05-06T13:57:27.523758979Z","status":"online"}] client/client.go:127
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [CLIENT]    Client  is connecting to auth server on cluster "purple". client/client.go:969
DEBU [CLIENT]    No Key Agent selected. client/session.go:269
[ec2-user@ip-172-31-34-128 ~]$

Note that there is no established incoming connection on port 22:

[ec2-user@ip-172-31-34-128 ~]$ sudo ss -tuna | grep 22
tcp   LISTEN 0      128                            0.0.0.0:22            0.0.0.0:*
tcp   LISTEN 0      128                               [::]:22               [::]:*

Also, if I stop the Teleport process on the host, I get disconnected:

[ec2-user@ip-172-31-34-128 ~]$
ERROR REPORT:
Original Error: *ssh.ExitError Process exited with status 255
Stack Trace:
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/lib/client/api.go:2141 github.com/gravitational/teleport/lib/client.(*TeleportClient).runShell
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/lib/client/api.go:1487 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSH
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:1690 main.onSSH.func1
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/lib/client/api.go:534 github.com/gravitational/teleport/lib/client.RetryWithRelogin
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:1689 main.onSSH
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:688 main.Run
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:333 main.main
	/var/folders/ys/8czjjsys38x504kj8172pd_m0000gp/T/drone-RtVwzdatKftmXqht/home/drone/build-11191-1648774907-toolchains/go/src/runtime/proc.go:255 runtime.main
	/var/folders/ys/8czjjsys38x504kj8172pd_m0000gp/T/drone-RtVwzdatKftmXqht/home/drone/build-11191-1648774907-toolchains/go/src/runtime/asm_amd64.s:1581 runtime.goexit
User Message: Process exited with status 255

If you stop Teleport on the host and wait the 10-15 minutes for it to time out so it no longer appears in tsh ls, port 22 is then correctly used:

~ » tsh --debug ssh -p 22 ec2-user@ip-172-31-34-128.us-east-2.compute.internal
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.l3NvTFCxd4/Listeners" client/api.go:3113
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [KEYSTORE]  Reading certificates from path "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-ssh/purple-cert.pub". client/keystore.go:330
INFO [KEYAGENT]  Loading SSH key for user "gus@goteleport.com" and cluster "purple". client/keyagent.go:191
INFO [CLIENT]    Connecting to proxy=gus.teleportdemo.com:3023 login="ubuntu" client/api.go:2322
DEBU             No valid environment variables found. client/proxy.go:116
DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:268
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgIS/LeZT2wnKp5zMWTN0N9BHUAlEAX3BGUeUUkZ5XVwIAAAADAQABAAABAQClW1daTJJk6cIhMY1HLoojBz32BDPy8KbPgdwWKfMI6KyHrirCwmFmgmcBsb4jcWuLqyGYLQ1ywNMAbEa8qfoLe8qYa56uhrKqRIQz4++X4qyFKceCzUWblbs5qXspaW0PliEtPE4ggzAW55WQusoKDOo22ZTTXXNmCQ0gFS0HfBmenjAawtX3pcdBWYj5sNo2zestla2oWQRCM26j81xdfEeHXLxDF1iVtKQJRTBGyrEwk+gZM6wDIkt8C99hxStUfZbK1TKmqzasiYZ0ipnql2PFE+auz6cckKdTvbkwyAUe9K5A1rXpJHj+UV1bquFpD17SkM2nNPeD9wclwwWlAAAAAAAAAAAAAAACAAAAAAAAANAAAAArMWM0Y2YyODctYjhlYi00M2FkLWE0OWEtZDEwMmVmZmYxZDdlLnB1cnBsZQAAACQxYzRjZjI4Ny1iOGViLTQzYWQtYTQ5YS1kMTAyZWZmZjFkN2UAAAAJbG9jYWxob3N0AAAACTEyNy4wLjAuMQAAAAM6OjEAAAAQaXAtMTcyLTMxLTMwLTE0MAAAABRndXMudGVsZXBvcnRkZW1vLmNvbQAAAChyZW1vdGUua3ViZS5wcm94eS50ZWxlcG9ydC5jbHVzdGVyLmxvY2FsAAAAAGH0Lvv//////////wAAAAAAAABGAAAAFHgtdGVsZXBvcnQtYXV0aG9yaXR5AAAACgAAAAZwdXJwbGUAAAAPeC10ZWxlcG9ydC1yb2xlAAAACQAAAAVQcm94eQAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDe4Lc8HWcEbIvk8enrZIbo0Lv70uE8rRZskM1S/2YHkzIcNveUACquSDMSBQp5wgLiTvtLvoi80TbRaGGJVLNttuaFfELP7KsOM8JCazGsKYywnfEINDEuylsQZIRdxpXmGGuh4BtFw8JmbEGcgUXX8jfUITPeyWKScetp7BFGZ5OAiCvoc/iO2+PwXjNcFo/hXO3HY6eRWxuHvgu+4HOmalEVaocnug1aRZww8sVSJP4A76aTuwf+NrYMGviP8FKRxw7eOobWmBE/uiRxI2+2AWUFrkm6B4M5CmI+IHAumXQEFz1zHxdRZQ8f/m+jCcLggcQVXCDiVarugqg6aDTnAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAT+TdbAs+gaEViSENC+b034yy8SDQkbvExJS2VhOsQ1IVLPo8hqHicsLSVkC0MPnhqZm3/CfLZeZQYAE/2rFk129pdId+xKYqzFR3oxmK9fee+resmDWNt1DRR7Keh/ALxhzLnq3JLwol5lLWUcHWVZ4lH3BkGp0L1LBozq7KmBe1MiyndkNxRbNHhK7UBB2JzR2I7IFr9wrAik95gX7vsaql3Ajy2Yy6BkDNae4ZIk239BODTNItkPQSeVFZuirsPNEnbYTvfum35N1vSMYK/QjBDviiT2qU0RrLj3jgbcxSZ2piMYw/cK23CI7yKK/jt11ub5VnRVtwEadshPmQWQ==\n." client/keyagent.go:365
DEBU [KEYAGENT]  Validated host gus.teleportdemo.com:3023. client/keyagent.go:371
INFO [CLIENT]    Successful auth with proxy gus.teleportdemo.com:3023. client/api.go:2327
DEBU [CLIENT]    Found clusters: [{"name":"purple","lastconnected":"2022-05-06T13:59:32.644559273Z","status":"online"},{"name":"orange.teleportdemo.com","lastconnected":"2022-05-06T13:57:27.523758979Z","status":"online"}] client/client.go:127
INFO [CLIENT]    Client= connecting to node=ip-172-31-34-128.us-east-2.compute.internal on cluster purple client/client.go:1074
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [KEYSTORE]  Reading certificates from path "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-ssh/purple-cert.pub". client/keystore.go:330
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [CLIENT]    Client  is connecting to auth server on cluster "purple". client/client.go:969
DEBU [CLIENT]    MFA not required for access. client/client.go:377
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgbKAvOMhkXlQ5JjWGod0G16cy/sZLPaKYb2g8HsS9km8AAAADAQABAAABAQCoXDzytlm2NuHMOQ9kitDkAy2O56OtwcsXpll2b5V4rusYmW2Ef+ThSQSUt+qe+hTdMKIDJRMhDzVet1DnzYeULw/4y+ZnVs3gf3RbX2e03rQxE+zENFZkBl1M0ZRmiLHojbALq2RuzG+BM23rpHQ3Gon8qkGoeze2n8GDNSHbvik1Iv+zMeRiFNOz6dYVriCwGtYhwm1fI320v2PY+IwAvRt8681FVsdFvZb7yCV0WU7Hh9MyS1KBWIqQ7jwiDFEFM2Tl4T047ve3Xd18V+6tLu1L44ZPeiFqPCzUOCnwXzIv8iTxkzkVMkHsUAX858xYk4ktLOr6ZBEXOX2ixMpTAAAAAAAAAAAAAAACAAAAAAAAAL8AAAAQaXAtMTcyLTMxLTM0LTEyOAAAACVpcC0xNzItMzEtMzQtMTI4Lmd1cy50ZWxlcG9ydGRlbW8uY29tAAAAK2lwLTE3Mi0zMS0zNC0xMjgudXMtZWFzdC0yLmNvbXB1dGUuaW50ZXJuYWwAAAANMTcyLjMxLjM0LjEyOAAAAC9lYzItMy0xNDQtMTQwLTgudXMtZWFzdC0yLmNvbXB1dGUuYW1hem9uYXdzLmNvbQAAAAszLjE0NC4xNDAuOAAAAABidSjM//////////8AAAAAAAAARQAAABR4LXRlbGVwb3J0LWF1dGhvcml0eQAAAAoAAAAGcHVycGxlAAAAD3gtdGVsZXBvcnQtcm9sZQAAAAgAAAAETm9kZQAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDe4Lc8HWcEbIvk8enrZIbo0Lv70uE8rRZskM1S/2YHkzIcNveUACquSDMSBQp5wgLiTvtLvoi80TbRaGGJVLNttuaFfELP7KsOM8JCazGsKYywnfEINDEuylsQZIRdxpXmGGuh4BtFw8JmbEGcgUXX8jfUITPeyWKScetp7BFGZ5OAiCvoc/iO2+PwXjNcFo/hXO3HY6eRWxuHvgu+4HOmalEVaocnug1aRZww8sVSJP4A76aTuwf+NrYMGviP8FKRxw7eOobWmBE/uiRxI2+2AWUFrkm6B4M5CmI+IHAumXQEFz1zHxdRZQ8f/m+jCcLggcQVXCDiVarugqg6aDTnAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAD8D6ognZrQpNF+q4SGOZyxHjn2046QFLEXmCt/ROCJBm2roJVDks2Y2L7O2Zlz1hfhDm8VijRjmDamZRj4VwlsJTVEd8nl5Un4CDEnZU928EgiBV1yopdiMk6665I24VF4Ap+vLOYnvEnZGSZ6yLaPxjONEyXcIWD55BI0JDtL41gF8hTUBi//P9HBUiH9pX0pbBBYNtAICgK76A++nKrO4XLRFgbmipvopwfPv7ynmKgxhMCQvt419LTzcO7KJkoL1GkUWVv51JlePbxbUqI1H2JOdWlU+GGFkahuuGCMhI6+9sUL7icia+zb+dRX4Qero02Uwe76O0KtGodS4KPg==\n." client/keyagent.go:365
DEBU [KEYAGENT]  Validated host ip-172-31-34-128.us-east-2.compute.internal:22@default@purple. client/keyagent.go:371
DEBU [CLIENT]    Found clusters: [{"name":"purple","lastconnected":"2022-05-06T13:59:33.399415372Z","status":"online"},{"name":"orange.teleportdemo.com","lastconnected":"2022-05-06T13:57:27.523758979Z","status":"online"}] client/client.go:127
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/gus/.tsh/keys/gus.teleportdemo.com/gus@goteleport.com-x509.pem" valid until "2022-05-06 17:45:59 +0000 UTC". client/keystore.go:307
DEBU [CLIENT]    Client  is connecting to auth server on cluster "purple". client/client.go:969
WARN [CLIENT]    ssh: setenv failed client/session.go:234
WARN [CLIENT]    ssh: setenv failed client/session.go:234
WARN [CLIENT]    ssh: setenv failed client/session.go:234
WARN [CLIENT]    ssh: setenv failed client/session.go:234
WARN [CLIENT]    ssh: setenv failed client/session.go:234
DEBU [CLIENT]    No Key Agent selected. client/session.go:269
Last login: Fri May  6 13:57:16 2022 from ip-172-31-30-140.us-east-2.compute.internal

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
34 package(s) needed for security, out of 60 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-172-31-34-128 ~]$

See established incoming connection from Teleport proxy as expected:

[ec2-user@ip-172-31-34-128 ~]$ sudo ss -tuna | grep 22
tcp   LISTEN 0      128                            0.0.0.0:22            0.0.0.0:*
tcp   ESTAB  0      0                        172.31.34.128:22      172.31.30.140:49330
tcp   LISTEN 0      128                               [::]:22               [::]:*

I think this is a regression as I'm fairly sure this used to work.

It's also worth noting that you can still use port 22 correctly if you connect to any other hostname that gets you to the same place (so tsh --debug ssh --port 22 ip-172-31-34-128 will work fine, for example). This just seems to be a bug where when Teleport looks up the hostname internally and finds there's a matching Teleport host with a reverse tunnel connected, it stops paying attention to the --port directive.

This whole scenario presents a problem for customers who use the registered FQDN of their server to connect with both Teleport and OpenSSH.

Bug details:

  • Teleport version:
    Auth/proxy: Teleport Enterprise v9.1.2 git:teleport-connect-preview-1.0.0-1-g9df5ec37f go1.17.9
    Node: Teleport v9.0.3 git:v9.0.3-0-g1cf2b3e17 go1.17.7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    OpenSSHFor customers using Teleport and OpenSSHbugregression

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions