You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The tsh process opened the validarion website on the defined bind-address and, from a remote desktop, it was possible to enter on that url to proceed with the validation (not the default 127.0.0.1).
Current behavior:
But today, that comand fails with an error:
WARNING: Ignoring Teleport user (user@company.com) for Single Sign-On (SSO) login.
Provide the user name during the SSO flow instead. Use --auth=local if you did not intend to login with SSO.
ERROR: Failed to login due to a disallowed callback URL. Please check Teleport's log for more details.
It doesn't listen on the defined address any more.
Bug details:
Teleport version
Teleport v15.3.4 git:v15.3.4-0-g0436ce5 go1.21.9
Recreation steps
Trying to execute login as described avobe.
Debug logs
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE] Reading certificates from path "/home/user/.tsh/keys/company.teleport.sh/user@company.com-ssh/company.teleport.sh-cert.pub". client/keystore.go:357
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2023-10-06 02:43:25 +0000 UTC". client/client_store.go:111
2024-05-14T13:57:14+02:00 INFO [CLIENT] ALPN connection upgrade required for "company.teleport.sh:443": false. client/api.go:787
2024-05-14T13:57:14+02:00 INFO [CLIENT] no host login given. defaulting to user client/api.go:1125
2024-05-14T13:57:14+02:00 WARN [CLIENT] [KEY AGENT] Unable to connect to SSH agent on socket "": dial unix: missing address client/api.go:4838
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE] Reading certificates from path "/home/user/.tsh/keys/company.teleport.sh/user@company.com-ssh/company.teleport.sh-cert.pub". client/keystore.go:357
2024-05-14T13:57:14+02:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2023-10-06 02:43:25 +0000 UTC". client/client_store.go:111
2024-05-14T13:57:14+02:00 INFO [KEYAGENT] Loading SSH key for user "user@company.com" and cluster "company.teleport.sh". client/keyagent.go:198
2024-05-14T13:57:14+02:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: company.teleport.sh:443 client/api.go:4797
2024-05-14T13:57:14+02:00 DEBU Attempting GET company.teleport.sh:443/webapi/ping webclient/webclient.go:129
2024-05-14T13:57:15+02:00 DEBU ALPN connection upgrade required for "company.teleport.sh:443": false. client/alpn_conn_upgrade.go:95
WARNING: Ignoring Teleport user (user@company.com) for Single Sign-On (SSO) login.
Provide the user name during the SSO flow instead. Use --auth=local if you did not intend to login with SSO.
2024-05-14T13:57:15+02:00 DEBU [CLIENT] Attempting to login with a new RSA private key. client/api.go:4104
2024-05-14T13:57:15+02:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: company.teleport.sh:443 client/api.go:4797
2024-05-14T13:57:15+02:00 DEBU [CLIENT] HTTPS client init(proxyAddr=company.teleport.sh:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-05-14T13:57:15+02:00 DEBU [CLIENT] Binding to 192.168.1.10:3000. client/redirect.go:175
2024-05-14T13:57:15+02:00 INFO [CLIENT] Waiting for response at: http://192.168.1.10:3000. client/redirect.go:194
ERROR REPORT:
Original Error: *trace.AccessDeniedError Failed to login due to a disallowed callback URL. Please check Teleport's log for more details.
Stack Trace:
Caught:
github.com/gravitational/teleport/lib/httplib/httplib.go:216 github.com/gravitational/teleport/lib/httplib.ConvertResponse
github.com/gravitational/teleport/lib/client/https_client.go:124 github.com/gravitational/teleport/lib/client.(*WebClient).PostJSON
github.com/gravitational/teleport/lib/client/redirect.go:229 github.com/gravitational/teleport/lib/client.(*Redirector).issueSSOLoginConsoleRequest
github.com/gravitational/teleport/lib/client/redirect.go:214 github.com/gravitational/teleport/lib/client.(*Redirector).Start
github.com/gravitational/teleport/lib/client/weblogin.go:413 github.com/gravitational/teleport/lib/client.SSHAgentSSOLogin
github.com/gravitational/teleport/lib/client/api.go:4325 github.com/gravitational/teleport/lib/client.(*TeleportClient).ssoLogin
github.com/gravitational/teleport/lib/client/api.go:3814 github.com/gravitational/teleport/lib/client.(*TeleportClient).getSSHLoginFunc.func4
github.com/gravitational/teleport/lib/client/api.go:4002 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin.func1
github.com/gravitational/teleport/lib/client/api.go:4049 github.com/gravitational/teleport/lib/client.(*TeleportClient).loginWithHardwareKeyRetry
github.com/gravitational/teleport/lib/client/api.go:4000 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin
github.com/gravitational/teleport/lib/client/api.go:3581 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
github.com/gravitational/teleport/tool/tsh/common/tsh.go:1930 github.com/gravitational/teleport/tool/tsh/common.onLogin
github.com/gravitational/teleport/tool/tsh/common/tsh.go:1405 github.com/gravitational/teleport/tool/tsh/common.Run
github.com/gravitational/teleport/tool/tsh/common/tsh.go:593 github.com/gravitational/teleport/tool/tsh/common.Main
github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
runtime/proc.go:267 runtime.main
runtime/asm_amd64.s:1650 runtime.goexit
User Message: Failed to login due to a disallowed callback URL. Please check Teleport's log for more details
The text was updated successfully, but these errors were encountered:
You should not just close the issue and saying that this is intended!
There are some restrictions in some organizations that we may use local IPs but not 127.0.0.1 on http and it's not possible anymore!
The option that you added allows only https URLs and not http local IPs which is a huge problem!
We use --bind-addr= on the client side, and the server should be able to handle the client request with this option as well, because this is blocker point for us!
Expected behavior:
Trying to login from a remote server without desktop, up until now, the following command has been working:
$ tsh login --proxy=company.teleport.sh --user=user@company.com --bind-addr=192.168.1.10:3000 --browser none
The tsh process opened the validarion website on the defined bind-address and, from a remote desktop, it was possible to enter on that url to proceed with the validation (not the default 127.0.0.1).
Current behavior:
But today, that comand fails with an error:
It doesn't listen on the defined address any more.
Bug details:
Teleport version
Teleport v15.3.4 git:v15.3.4-0-g0436ce5 go1.21.9
Recreation steps
Trying to execute login as described avobe.
Debug logs
The text was updated successfully, but these errors were encountered: