(v7) Host certificate checker and postgres connection fixes (#57)

gravitational · Sep 7, 2021 · 63f85cf · 63f85cf
1 parent 6eb543d
commit 63f85cf
Show file tree

Hide file tree

Showing 51 changed files with 1,115 additions and 268 deletions.
diff --git a/.drone.yml b/.drone.yml
@@ -4215,6 +4215,10 @@ steps:
     image: docker
     commands:
       - |
+        if [ "${DRONE_REPO}" != "gravitational/teleport" ]; then
+          echo "---> Not publishing ${DRONE_REPO} packages to repos"
+          exit 78
+        fi
         # length will be 0 after filtering if this is a pre-release, >0 otherwise
         FILTERED_TAG_LENGTH=$(echo ${DRONE_TAG} | egrep -v '(alpha|beta|dev|rc)' | wc -c)
         if [ $$FILTERED_TAG_LENGTH -eq 0 ]; then
@@ -4381,6 +4385,6 @@ volumes:
       name: drone-s3-debrepo-pvc
 ---
 kind: signature
-hmac: 94c64c4b8eb79102ae9e2a619ffdfc76f232ce49b29eb042f907bedd6c26f74e
+hmac: 2ed9788b54187803ad301968e2b84c79cdc34de7eab79fe6eed6321ddd4f439e
 
 ...
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,63 @@
 # Changelog
 
+## 7.1.1
+
+This release of Teleport contains multiple bug fixes and security fixes.
+
+* Fixed an issue with starting Teleport with `--bootstrap` flag. [#8128](https://github.com/gravitational/teleport/pull/8128)
+* Added support for non-blocking access requests via `--request-nowait` flag. [#7979](https://github.com/gravitational/teleport/pull/7979)
+* Added support for a profile specific kubeconfig file. [#8048](https://github.com/gravitational/teleport/pull/8048)
+
+### Security fixes
+
+As part of a routine security audit of Teleport, several security vulnerabilities
+and miscellaneous issues were discovered. Below are the issues found, their
+impact, and the components of Teleport they affect.
+
+#### Server Access
+
+An attacker with privileged network position could forge SSH host certificates
+that Teleport would incorrectly validate in specific code paths. The specific
+paths of concern are:
+
+* Using `tsh` with an identity file (commonly used for service accounts). This
+  could lead to potentially leaking of sensitive commands the service account
+  runs or in the case of proxy recording mode, the attacker could also gain
+  control of the SSH agent being used.
+
+* Teleport agents could incorrectly connect to an attacker controlled cluster.
+  Note, this would not give the attacker access or control of resources (like
+  SSH, Kubernetes, Applications, or Database servers) because Teleport agents
+  will still reject all connections without a valid x509 or SSH user
+  certificate.
+
+#### Database Access
+
+When connecting to a Postgres database, an attacker could craft a database name
+or a username in a way that would have allowed them control over the resulting
+connection string.
+
+An attacker could have probed connections to other reachable database servers
+and alter connection parameters such as disable TLS or connect to a database
+authenticated by a password.
+
+#### All
+
+During an internal security exercise our engineers have discovered a
+vulnerability in Teleport build infrastructure that could have been potentially
+used to alter build artifacts. We have found no evidence of any exploitation. In
+an effort to be open and transparent with our customers, we encourage all
+customers to upgrade to the latest patch release.
+
+#### Actions
+
+For all users, we recommend upgrading all components of their Teleport cluster.
+If upgrading all components is not possible, we recommend upgrading `tsh` and
+Teleport agents (including trusted cluster proxies) that use reverse tunnels.
+
+Upgrades should follow the normal Teleport upgrade procedure:
+https://goteleport.com/teleport/docs/admin-guide/#upgrading-teleport.
+
 ## 7.1.0
 
 This release of Teleport contains a feature and bug fix.

diff --git a/Makefile b/Makefile
@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=7.1.0
+VERSION=7.1.1
 
 DOCKER_IMAGE ?= quay.io/gravitational/teleport
 DOCKER_IMAGE_CI ?= quay.io/gravitational/teleport-ci

diff --git a/api/constants/constants.go b/api/constants/constants.go
@@ -102,6 +102,9 @@ const (
 	AWSConsoleURL = "https://console.aws.amazon.com"
 	// AWSAccountIDLabel is the key of the label containing AWS account ID.
 	AWSAccountIDLabel = "aws_account_id"
+
+	// RSAKeySize is the size of the RSA key.
+	RSAKeySize = 2048
 )
 
 // SecondFactorType is the type of 2FA authentication.

diff --git a/api/utils/sshutils/callback.go b/api/utils/sshutils/callback.go
@@ -0,0 +1,86 @@
+/*
+Copyright 2021 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sshutils
+
+import (
+	"github.com/gravitational/trace"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/crypto/ssh"
+)
+
+// CheckersGetter defines a function that returns a list of ssh public keys.
+type CheckersGetter func() ([]ssh.PublicKey, error)
+
+// HostKeyCallbackConfig is the host key callback configuration.
+type HostKeyCallbackConfig struct {
+	// GetHostCheckers is used to fetch host checking (public) keys.
+	GetHostCheckers CheckersGetter
+	// HostKeyFallback sets optional callback to check non-certificate keys.
+	HostKeyFallback ssh.HostKeyCallback
+	// FIPS allows to set FIPS mode which will validate algorithms.
+	FIPS bool
+	// OnCheckCert is called on SSH certificate validation.
+	OnCheckCert func(*ssh.Certificate)
+}
+
+// Check validates the config.
+func (c *HostKeyCallbackConfig) Check() error {
+	if c.GetHostCheckers == nil {
+		return trace.BadParameter("missing GetHostCheckers")
+	}
+	return nil
+}
+
+// NewHostKeyCallback returns host key callback function with the specified parameters.
+func NewHostKeyCallback(conf HostKeyCallbackConfig) (ssh.HostKeyCallback, error) {
+	if err := conf.Check(); err != nil {
+		return nil, trace.Wrap(err)
+	}
+	checker := CertChecker{
+		CertChecker: ssh.CertChecker{
+			IsHostAuthority: makeIsHostAuthorityFunc(conf.GetHostCheckers),
+			HostKeyFallback: conf.HostKeyFallback,
+		},
+		FIPS:        conf.FIPS,
+		OnCheckCert: conf.OnCheckCert,
+	}
+	return checker.CheckHostKey, nil
+}
+
+func makeIsHostAuthorityFunc(getCheckers CheckersGetter) func(key ssh.PublicKey, host string) bool {
+	return func(key ssh.PublicKey, host string) bool {
+		checkers, err := getCheckers()
+		if err != nil {
+			logrus.WithError(err).Errorf("Failed to get checkers for %v.", host)
+			return false
+		}
+		for _, checker := range checkers {
+			switch v := key.(type) {
+			case *ssh.Certificate:
+				if KeysEqual(v.SignatureKey, checker) {
+					return true
+				}
+			default:
+				if KeysEqual(key, checker) {
+					return true
+				}
+			}
+		}
+		logrus.Debugf("No CA for host %v.", host)
+		return false
+	}
+}
diff --git a/api/utils/sshutils/checker.go b/api/utils/sshutils/checker.go
@@ -0,0 +1,130 @@
+/*
+Copyright 2019-2021 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sshutils
+
+import (
+	"crypto/rsa"
+	"net"
+
+	"github.com/gravitational/teleport/api/constants"
+
+	"github.com/gravitational/trace"
+	"golang.org/x/crypto/ssh"
+)
+
+// CertChecker is a drop-in replacement for ssh.CertChecker. In FIPS mode,
+// checks if the certificate (or key) were generated with a supported algorithm.
+type CertChecker struct {
+	ssh.CertChecker
+
+	// FIPS means in addition to checking the validity of the key or
+	// certificate, also check that FIPS 140-2 algorithms were used.
+	FIPS bool
+
+	// OnCheckCert is called when validating host certificate.
+	OnCheckCert func(*ssh.Certificate)
+}
+
+// Authenticate checks the validity of a user certificate.
+func (c *CertChecker) Authenticate(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
+	err := c.validateFIPS(key)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	perms, err := c.CertChecker.Authenticate(conn, key)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	return perms, nil
+}
+
+// CheckCert checks certificate metadata and signature.
+func (c *CertChecker) CheckCert(principal string, cert *ssh.Certificate) error {
+	err := c.validateFIPS(cert)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	err = c.CertChecker.CheckCert(principal, cert)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	if c.OnCheckCert != nil {
+		c.OnCheckCert(cert)
+	}
+
+	return nil
+}
+
+// CheckHostKey checks the validity of a host certificate.
+func (c *CertChecker) CheckHostKey(addr string, remote net.Addr, key ssh.PublicKey) error {
+	err := c.validateFIPS(key)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	err = c.CertChecker.CheckHostKey(addr, remote, key)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	if cert, ok := key.(*ssh.Certificate); ok && c.OnCheckCert != nil {
+		c.OnCheckCert(cert)
+	}
+
+	return nil
+}
+
+func (c *CertChecker) validateFIPS(key ssh.PublicKey) error {
+	// When not in FIPS mode, accept all algorithms and key sizes.
+	if !c.FIPS {
+		return nil
+	}
+
+	switch cert := key.(type) {
+	case *ssh.Certificate:
+		err := validateFIPSAlgorithm(cert.Key)
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		err = validateFIPSAlgorithm(cert.SignatureKey)
+		if err != nil {
+			return trace.Wrap(err)
+		}
+		return nil
+	default:
+		return validateFIPSAlgorithm(key)
+	}
+}
+
+func validateFIPSAlgorithm(key ssh.PublicKey) error {
+	cryptoKey, ok := key.(ssh.CryptoPublicKey)
+	if !ok {
+		return trace.BadParameter("unable to determine underlying public key")
+	}
+	k, ok := cryptoKey.CryptoPublicKey().(*rsa.PublicKey)
+	if !ok {
+		return trace.BadParameter("only RSA keys supported")
+	}
+	if k.N.BitLen() != constants.RSAKeySize {
+		return trace.BadParameter("found %v-bit key, only %v-bit supported", k.N.BitLen(), constants.RSAKeySize)
+	}
+	return nil
+}