port_forwarding can be saved to a cluster profile without this being requested

[webvictim]

What happened: tsh ssh will sometimes add default port forwarding to .tsh/{cluster}.yaml which causes all subsequent connections to any node in that cluster to "inherit" that setting:

(...)
forward_ports:
- 1234:localhost:1234

What you expected to happen: Port forwarding settings not to be saved to .tsh/{cluster}.yaml and to be manually specified each time. Automatically forwarding ports (without it being explicitly requested) can be a security risk.

How to reproduce it (as minimally and precisely as possible): This is what's uncertain. It appears that somehow the port forwarding configuration gets saved to the tsh profile but I'm unsure exactly why or how this happens.

Environment:

• Teleport version (use teleport version): 4.0.0
• Tsh version (use tsh version): 4.1.0

[louis-pie]

Can confirm this is till happening

tsh version
Teleport v10.1.2 git:v10.1.2-0-g5bc7caf go1.18.3
Proxy version: 7.3.23

tsh ssh xxxxxxxxxxx
ERROR: Failed to bind to 127.0.0.1:10824: listen tcp 127.0.0.1:10824: bind: address already in use.

[ArunNadda]

Found one case when forward_ports gets added to cluster profile file:

So if ssh -L port:host:port is run with tsh .. command and this command is used to login to cluster (if user cert is expired or first time login), forward_ports is added to cluster profile. I think this should not be added to profile as suggested in this issue.

# this command started login to teleport cluser, and has `ssh` args.
% tsh  --proxy=txxx.cf:3080 ssh -L 8002:localhost:8002 root@akn-dbsvc
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:57121/4710809f-adb6-4029-869e-d7890982065e

# forward_ports is added to profile
% cat ~/.tsh/txxx.cf.yaml
web_proxy_addr: txxx.cf:3080
ssh_proxy_addr: txxx.cf:3080
kube_proxy_addr: txxx.cf:3080
postgres_proxy_addr: txxx.cf:3080
mysql_proxy_addr: txxx:3080
user: arun.nadda@goteleport.com
cluster: ip-xxxl
forward_ports:
- 8002:localhost:8002
dir: ""
tls_routing_enabled: true

As a workaround, logout current profile -> login to cluster without any ssh command, or without any portforward option of ssh command.. like

• logout

tsh logout

• login again
  tsh login --proxy='txxx.cf:3080' --auth=okta
  or
  tsh --proxy='txxx.cf:3080' --auth=okta ssh "${TELEPORT_USER}@$host"

[ArunNadda]

a tsh login again, if previous session with forward_ports added to profile is not expired, does not remove forward_ports entry from profile, even though it get new certificate:

login with ssh -L option

% tsh  --proxy=txxx.cf:3080 ssh -L 5757:localhost:5757 root@akn-dbsvc

can see port forwarding in YAML profile here

% cat ~/.tsh/txxx.cf.yaml
< ... >
forward_ports:
- 5757:localhost:5757
< ... >

login again with no SSH command

% tsh login --proxy=txxx.cf:3080 --auth=okta
< login successful >

port forward still there

%  cat ~/.tsh/txxx.cf.yaml
< ... >
forward_ports:
- 5757:localhost:5757
< ... >

to get rid of forward_port in profile, tsh logout -> tsh login required, which is definitely a bug.

[oshati]

We have another customer who has reported the above issue where the forward_ports entry gets cached and stuck in the ~/.tsh/{cluster}.yaml profile causing the below error upon subsequent attempt to tsh ssh . issue reproducible as explained in the thread but error persistence isn't consistent.

tsh version 10.2.2
server version 11.3.10

INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.x06O4csPrx/Listeners" client/api.go:3575
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/user.user/.tsh/keys/teleport.example.com/user.example.com-x509.pem" valid until "2023-04-28 10:19:59 +0000 UTC". client/keystore.go:307
DEBU [KEYSTORE]  Reading certificates from path "/Users/user.user/.tsh/keys/teleport.example.com/user.example.com-ssh/teleport.example.com-cert.pub". client/keystore.go:330
INFO [KEYAGENT]  Loading SSH key for user "user.example.com" and cluster "teleport.example.com". client/keyagent.go:202
INFO [CLIENT]    Connecting to proxy=teleport.example.com:443 login="root" using TLS Routing client/api.go:2722
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/user.user/.tsh/keys/teleport.example.com/user.example.com-x509.pem" valid until "2023-04-28 10:19:59 +0000 UTC". client/keystore.go:307
DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:276
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/user.user/.tsh/keys/teleport.example.com/user.example.com-x509.pem" valid until "2023-04-28 10:19:59 +0000 UTC". client/keystore.go:307
DEBU [KEYAGENT]  "Checking key: REDACTED." client/keyagent.go:376
DEBU [KEYAGENT]  Validated host teleport.example.com:443. client/keyagent.go:382
INFO [CLIENT]    Successful auth with proxy teleport.example.com:443. client/api.go:2727
DEBU [CLIENT]    Found clusters: [{"name":"teleport.example.com","lastconnected":"2023-04-28T18:50:43.362158224Z","status":"online"}] client/client.go:113
INFO [CLIENT]    Client= connecting to node=repro-server on cluster teleport.example.com client/client.go:1165
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/user.user/.tsh/keys/teleport.example.com/user.example.com-x509.pem" valid until "2023-04-28 10:19:59 +0000 UTC". client/keystore.go:307
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/user.user/.tsh/keys/teleport.example.com/user.example.com-x509.pem" valid until "2023-04-28 10:19:59 +0000 UTC". client/keystore.go:307
DEBU [KEYSTORE]  Reading certificates from path "/Users/user.user/.tsh/keys/teleport.example.com/user.example.com-ssh/teleport.example.com-cert.pub". client/keystore.go:330
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/user.user/.tsh/keys/teleport.example.com/user.example.com-x509.pem" valid until "2023-04-28 10:19:59 +0000 UTC". client/keystore.go:307
DEBU [CLIENT]    MFA not required for access. client/client.go:363
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/Users/user.user/.tsh/keys/teleport.example.com/user.example.com-x509.pem" valid until "2023-04-28 10:19:59 +0000 UTC". client/keystore.go:307
DEBU [KEYAGENT]  "Checking key: RED"ACTED client/keyagent.go:376
DEBU [KEYAGENT]  Validated host repro-server:0@default@teleport.example.com. client/keyagent.go:382

ERROR REPORT:
Original Error: *errors.errorString Failed to bind to 127.0.0.1:3030: listen tcp 127.0.0.1:3030: bind: address already in use.
Stack Trace:
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/lib/client/api.go:1767 github.com/gravitational/teleport/lib/client.(*TeleportClient).startPortForwarding
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/lib/client/api.go:1718 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSH
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:2118 main.onSSH.func1
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/lib/client/api.go:692 github.com/gravitational/teleport/lib/client.RetryWithRelogin
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:2117 main.onSSH
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:767 main.Run
	/tmp/build-darwin-amd64/go/src/github.com/gravitational/teleport/tool/tsh/tsh.go:371 main.main
	/var/folders/ys/8czjjsys38x504kj8172pd_m0000gp/T/drone-2ziwnCzQwEl5gC9G/home/drone/build-13580-1657915527-toolchains/go/src/runtime/proc.go:255 runtime.main
	/var/folders/ys/8czjjsys38x504kj8172pd_m0000gp/T/drone-2ziwnCzQwEl5gC9G/home/drone/build-13580-1657915527-toolchains/go/src/runtime/asm_amd64.s:1581 runtime.goexit
User Message: Failed to bind to 127.0.0.1:3030: listen tcp 127.0.0.1:3030: bind: address already in use.

[r0mant]

The fix was merged, should be available in next patch releases.