You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I can use multiple Teleport SSH sessions concurrently in the same cluster (with per-session portforwarding configuration applied).
Current behaviour
If I login to Teleport while attempting to tsh ssh with a port-forward (-L), the port-forwarding configuration is saved to my profile and subsequent concurrent SSH sessions will fail (as they contest with each other for establishing the port-forward). This happens even when none of the subsequent tsh ssh sessions specify a port-forward (since they all default to the ones set in the profile).
Bug details
If I run tsh ssh -L ... to set up an SSH session while not already logged into Teleport, the client will attempt to login automatically before performing the SSH session (the RetryWithRelogin code path). When it does this, it saves a profile in order to cache the credentials for other sessions, but this profile also contains the session-specific port-forwarding details.
Any subsequent calls to tsh ssh implicitly pick up this port-forwarding configuration, meaning it's no longer possible to have multiple sessions without them contesting for the same port as was used originally.
This seems to have been introduced in #581 in order to support tsh login --proxy (in which case it's clearly intentional that subsequent calls to tsh ssh pick up the port-forwarding configuration). I think the surprising behaviour is that tsh ssh -L sometimes behaves like tsh login --proxy (i.e. persistently saves the port-forwarding) and sometimes does not, depending on whether the user is initially logged in.
Teleport version: branch/v8
Recreation steps:
$ tsh ssh -L 8080:foo:8080 user@host # while not logged in
$ <~/.tsh/profile.yaml # now my profile contains forward_ports
...
forward_ports:
- 8080:foo:8080
$ tsh ssh user@different-host # in a different terminal
ERROR: Failed to bind to 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use.
The answer here may be that this is working as expected, but thought I'd raise it as we found it surprising. Let me know if I can provide any more context 🙏
The text was updated successfully, but these errors were encountered:
Expected behaviour
I can use multiple Teleport SSH sessions concurrently in the same cluster (with per-session portforwarding configuration applied).
Current behaviour
If I login to Teleport while attempting to
tsh ssh
with a port-forward (-L
), the port-forwarding configuration is saved to my profile and subsequent concurrent SSH sessions will fail (as they contest with each other for establishing the port-forward). This happens even when none of the subsequenttsh ssh
sessions specify a port-forward (since they all default to the ones set in the profile).Bug details
If I run
tsh ssh -L ...
to set up an SSH session while not already logged into Teleport, the client will attempt to login automatically before performing the SSH session (theRetryWithRelogin
code path). When it does this, it saves a profile in order to cache the credentials for other sessions, but this profile also contains the session-specific port-forwarding details.Any subsequent calls to
tsh ssh
implicitly pick up this port-forwarding configuration, meaning it's no longer possible to have multiple sessions without them contesting for the same port as was used originally.This seems to have been introduced in #581 in order to support
tsh login --proxy
(in which case it's clearly intentional that subsequent calls totsh ssh
pick up the port-forwarding configuration). I think the surprising behaviour is thattsh ssh -L
sometimes behaves liketsh login --proxy
(i.e. persistently saves the port-forwarding) and sometimes does not, depending on whether the user is initially logged in.branch/v8
The answer here may be that this is working as expected, but thought I'd raise it as we found it surprising. Let me know if I can provide any more context 🙏
The text was updated successfully, but these errors were encountered: