Sanitize SSH server hostnames #48988
Merged
+273
−14
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rosstimothy
force-pushed
the
tross/host_re_name
branch
3 times, most recently
from
5ca1e51
to
cce5716
Compare
rosstimothy
force-pushed
the
tross/host_re_name
branch
2 times, most recently
from
2779014
to
ef388bd
Compare
Prevents any invalid and malicious hostnames, but replacing them with known valid data already associated with the host. This was chosen instead of rejecting to persist the server resource in an attempt to continue providing access to the host in order to remedy the invalid hostname. Any servers that represent a Teleport ssh_service with an invalid hostname will be replaced by the host UUID. Any static OpenSSH servers will have invalid hostnames replaced with the address. This will continue to allow the hosts to be dialable. In order to make these hosts discoverable, the invalid hostname will be set in the "teleport.internal/invalid-hostname" label. Updates gravitational/teleport-private#1676.
rosstimothy
force-pushed
the
tross/host_re_name
branch
from
ef388bd
to
67f06d4
Compare
rosstimothy
commented
Nov 14, 2024
| return trace.Wrap(err) | ||
| } | ||
|
|
||
| host = id.String() |
There was a problem hiding this comment.
Should we prefix these hostnames with something to better identify them as invalid? Do we want these hosts to appear at the top of the list in the UI so that they are more discoverable?
espadolini
reviewed
Nov 15, 2024
lib/auth/auth.go
Outdated
| return false, nil | ||
| } | ||
|
|
||
| if _, err := a.Services.UpsertNode(a.closeCtx, srv); err != nil { |
There was a problem hiding this comment.
This will resurrect a manually deleted openssh node if it happens at the wrong time; seeing as this is intended to only happen once per host, couldn't we use a conditional update?
There was a problem hiding this comment.
Updated to use the new PresenceInternal.UpdateNode in f6c9997.
espadolini
approved these changes
Nov 15, 2024
fspmarshall
approved these changes
Nov 15, 2024
public-teleport-github-review-bot
bot
removed request for
r0mant,
bernardjkim and
capnspacehook
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
@rosstimothy See the table below for backport results.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Prevents any invalid and malicious hostnames, but replacing them with known valid data already associated with the host. This was chosen instead of rejecting to persist the server resource in an attempt to continue providing access to the host in order to remedy the invalid hostname.
Any servers that represent a Teleport ssh_service with an invalid hostname will be replaced by the host UUID. Any static OpenSSH servers will have invalid hostnames replaced with the address. This will continue to allow the hosts to be dialable. In order to make these hosts discoverable, the invalid hostname will be set in the "teleport.internal/invalid-hostname" label.
Updates https://github.com/gravitational/teleport-private/issues/1676.
Changelog: Enforce stricter requirements for SSH hostnames. Hostnames will only be allowed if they are less than 257 characters and consist of only alphanumeric characters and the symbols '.' and '-'. Any hostname that violates the new restrictions will be changed, the original hostname will be move to the
teleport.internal/invalid-hostnamelabel for discoverability. Any Teleport agents with an invalid hostname will be replaced with the host UUID. Any Agentless OpenSSH Servers with an invalid hostname will be replaced with the host of the address, if it is valid, or a randomly generated identifier. Any hosts with invalid hostnames should be updated to comply with the new requirements to avoid Teleport renaming them.