Auto-login during SSH causes all subsequent SSH sessions to re-use the same port-forward config

[craigfe]

Expected behaviour

I can use multiple Teleport SSH sessions concurrently in the same cluster (with per-session portforwarding configuration applied).

Current behaviour

If I login to Teleport while attempting to tsh ssh with a port-forward (-L), the port-forwarding configuration is saved to my profile and subsequent concurrent SSH sessions will fail (as they contest with each other for establishing the port-forward). This happens even when none of the subsequent tsh ssh sessions specify a port-forward (since they all default to the ones set in the profile).

Bug details

If I run tsh ssh -L ... to set up an SSH session while not already logged into Teleport, the client will attempt to login automatically before performing the SSH session (the RetryWithRelogin code path). When it does this, it saves a profile in order to cache the credentials for other sessions, but this profile also contains the session-specific port-forwarding details.

Any subsequent calls to tsh ssh implicitly pick up this port-forwarding configuration, meaning it's no longer possible to have multiple sessions without them contesting for the same port as was used originally.

This seems to have been introduced in #581 in order to support tsh login --proxy (in which case it's clearly intentional that subsequent calls to tsh ssh pick up the port-forwarding configuration). I think the surprising behaviour is that tsh ssh -L sometimes behaves like tsh login --proxy (i.e. persistently saves the port-forwarding) and sometimes does not, depending on whether the user is initially logged in.

• Teleport version: branch/v8
• Recreation steps:

$ tsh ssh -L 8080:foo:8080 user@host  # while not logged in
$ < ~/.tsh/profile.yaml               # now my profile contains forward_ports
...
forward_ports:
- 8080:foo:8080

$ tsh ssh user@different-host         # in a different terminal
ERROR: Failed to bind to 127.0.0.1:8080: listen tcp 127.0.0.1:8080: bind: address already in use.

The answer here may be that this is working as expected, but thought I'd raise it as we found it surprising. Let me know if I can provide any more context 🙏

[gabrielcossette]

I confirm this bug is still present in v11.

[rottenbytes]

still there in v12 too

[tardoe]

Still a bug in v13 as well.

❯ tsh version
Teleport v13.0.0 git:v13.0.0-0-g6d0ce2bf go1.20.4
Proxy version: 13.0.3

[zmb3]

@r0mant @lxea this was fixed by #26823, right?

[lxea]

I think it should be, yeah