What would you like Teleport to do?

tsh should be able to utilize SSH credentials fetched from an SSH-agent, without having a full-blown ~/.tsh/ profile available.

tsh ssh and tsh proxy ssh should both have this ability.

What problem does this solve?

It is currently possible to get tsh credentials into an ssh-agent without a local ~/.tsh profile active:

• tsh --add-keys-to-agent only login ... - this adds the SSH credential to the local agent, and does not write credentials to ~/.tsh
• tsh ssh -A user@host - forwarding a local agent to a remote host. The remote host does not have a ~/.tsh

If a user wants to use these credentials to access another Teleport resource, this is quite difficult.

The current user experience is:

% tsh ssh -A user@host
user@host ~ $ ssh-add -l
2048 SHA256:D5fl0Ge38ygFZPgxpkFASn9bzsFHQuQeTtPiCD8njWU teleport:t.programmerq.net:t.programmerq.net:user (RSA-CERT)
2048 SHA256:D5fl0Ge38ygFZPgxpkFASn9bzsFHQuQeTtPiCD8njWU teleport:t.programmerq.net:t.programmerq.net:user (RSA)
user@host ~ $ tsh ssh user@host2
ERROR: No proxy address specified, missed --proxy flag?
user@host ~ $ tsh ssh --proxy teleport.example.com user@host2
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:60031/4e9eb020-3873-435b-8668-0e34b93831fc

It is also quite difficult to use the credential with ssh when a TLS multiplexing proxy is in the mix because tsh proxy ssh also needs a ~/.tsh profile.

While --headless is more secure, there are still valid use cases for when folks do want to use ssh-agent forwarding.

If a workaround exists, please include it.

• tsh --headless mode may work for some things, but isn't a complete solution:
  • does not work for tsh proxy ssh, which means that rsync, ansible, or anything else that would rely on it for ProxyCommand won't work.
  • The requirement for a webauthn device cannot be met by some organizations.
• DIY script/command to reimplement tsh proxy ssh functionality using only agent credentials.