[v17] Sanitize SSH server hostnames #49091
Merged
+273
−14
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Prevents any invalid and malicious hostnames, but replacing them with known valid data already associated with the host. This was chosen instead of rejecting to persist the server resource in an attempt to continue providing access to the host in order to remedy the invalid hostname. Any servers that represent a Teleport ssh_service with an invalid hostname will be replaced by the host UUID. Any static OpenSSH servers will have invalid hostnames replaced with the address. This will continue to allow the hosts to be dialable. In order to make these hosts discoverable, the invalid hostname will be set in the "teleport.internal/invalid-hostname" label. Updates gravitational/teleport-private#1676.
fspmarshall
approved these changes
Nov 15, 2024
r0mant
approved these changes
Nov 15, 2024
public-teleport-github-review-bot
bot
removed the request for review
from espadolini
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport #48988 to branch/v17
changelog: Enforce stricter requirements for SSH hostnames. Hostnames will only be allowed if they are less than 257 characters and consist of only alphanumeric characters and the symbols '.' and '-'. Any hostname that violates the new restrictions will be changed, the original hostname will be move to the
teleport.internal/invalid-hostnamelabel for discoverability. Any Teleport agents with an invalid hostname will be replaced with the host UUID. Any Agentless OpenSSH Servers with an invalid hostname will be replaced with the host of the address, if it is valid, or a randomly generated identifier. Any hosts with invalid hostnames should be updated to comply with the new requirements to avoid Teleport renaming them.