Closed
Description
openedon May 14, 2024
Expected behavior:
Trying to login from a remote server without desktop, up until now, the following command has been working:
$ tsh login --proxy=company.teleport.sh --user=user@company.com --bind-addr=192.168.1.10:3000 --browser none
The tsh process opened the validarion website on the defined bind-address and, from a remote desktop, it was possible to enter on that url to proceed with the validation (not the default 127.0.0.1).
Current behavior:
But today, that comand fails with an error:
WARNING: Ignoring Teleport user (user@company.com) for Single Sign-On (SSO) login.
Provide the user name during the SSO flow instead. Use --auth=local if you did not intend to login with SSO.
ERROR: Failed to login due to a disallowed callback URL. Please check Teleport's log for more details.
It doesn't listen on the defined address any more.
Bug details:
-
Teleport version
Teleport v15.3.4 git:v15.3.4-0-g0436ce5 go1.21.9 -
Recreation steps
Trying to execute login as described avobe. -
Debug logs
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE] Reading certificates from path "/home/user/.tsh/keys/company.teleport.sh/user@company.com-ssh/company.teleport.sh-cert.pub". client/keystore.go:357
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2023-10-06 02:43:25 +0000 UTC". client/client_store.go:111
2024-05-14T13:57:14+02:00 INFO [CLIENT] ALPN connection upgrade required for "company.teleport.sh:443": false. client/api.go:787
2024-05-14T13:57:14+02:00 INFO [CLIENT] no host login given. defaulting to user client/api.go:1125
2024-05-14T13:57:14+02:00 WARN [CLIENT] [KEY AGENT] Unable to connect to SSH agent on socket "": dial unix: missing address client/api.go:4838
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE] Reading certificates from path "/home/user/.tsh/keys/company.teleport.sh/user@company.com-ssh/company.teleport.sh-cert.pub". client/keystore.go:357
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2023-10-06 02:43:25 +0000 UTC". client/client_store.go:111
2024-05-14T13:57:14+02:00 INFO [KEYAGENT] Loading SSH key for user "user@company.com" and cluster "company.teleport.sh". client/keyagent.go:198
2024-05-14T13:57:14+02:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: company.teleport.sh:443 client/api.go:4797
2024-05-14T13:57:14+02:00 DEBU Attempting GET company.teleport.sh:443/webapi/ping webclient/webclient.go:129
2024-05-14T13:57:15+02:00 DEBU ALPN connection upgrade required for "company.teleport.sh:443": false. client/alpn_conn_upgrade.go:95
WARNING: Ignoring Teleport user (user@company.com) for Single Sign-On (SSO) login.
Provide the user name during the SSO flow instead. Use --auth=local if you did not intend to login with SSO.
2024-05-14T13:57:15+02:00 DEBU [CLIENT] Attempting to login with a new RSA private key. client/api.go:4104
2024-05-14T13:57:15+02:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: company.teleport.sh:443 client/api.go:4797
2024-05-14T13:57:15+02:00 DEBU [CLIENT] HTTPS client init(proxyAddr=company.teleport.sh:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-05-14T13:57:15+02:00 DEBU [CLIENT] Binding to 192.168.1.10:3000. client/redirect.go:175
2024-05-14T13:57:15+02:00 INFO [CLIENT] Waiting for response at: http://192.168.1.10:3000. client/redirect.go:194
ERROR REPORT:
Original Error: *trace.AccessDeniedError Failed to login due to a disallowed callback URL. Please check Teleport's log for more details.
Stack Trace:
Caught:
github.com/gravitational/teleport/lib/httplib/httplib.go:216 github.com/gravitational/teleport/lib/httplib.ConvertResponse
github.com/gravitational/teleport/lib/client/https_client.go:124 github.com/gravitational/teleport/lib/client.(*WebClient).PostJSON
github.com/gravitational/teleport/lib/client/redirect.go:229 github.com/gravitational/teleport/lib/client.(*Redirector).issueSSOLoginConsoleRequest
github.com/gravitational/teleport/lib/client/redirect.go:214 github.com/gravitational/teleport/lib/client.(*Redirector).Start
github.com/gravitational/teleport/lib/client/weblogin.go:413 github.com/gravitational/teleport/lib/client.SSHAgentSSOLogin
github.com/gravitational/teleport/lib/client/api.go:4325 github.com/gravitational/teleport/lib/client.(*TeleportClient).ssoLogin
github.com/gravitational/teleport/lib/client/api.go:3814 github.com/gravitational/teleport/lib/client.(*TeleportClient).getSSHLoginFunc.func4
github.com/gravitational/teleport/lib/client/api.go:4002 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin.func1
github.com/gravitational/teleport/lib/client/api.go:4049 github.com/gravitational/teleport/lib/client.(*TeleportClient).loginWithHardwareKeyRetry
github.com/gravitational/teleport/lib/client/api.go:4000 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin
github.com/gravitational/teleport/lib/client/api.go:3581 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
github.com/gravitational/teleport/tool/tsh/common/tsh.go:1930 github.com/gravitational/teleport/tool/tsh/common.onLogin
github.com/gravitational/teleport/tool/tsh/common/tsh.go:1405 github.com/gravitational/teleport/tool/tsh/common.Run
github.com/gravitational/teleport/tool/tsh/common/tsh.go:593 github.com/gravitational/teleport/tool/tsh/common.Main
github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
runtime/proc.go:267 runtime.main
runtime/asm_amd64.s:1650 runtime.goexit
User Message: Failed to login due to a disallowed callback URL. Please check Teleport's log for more details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment