When using the config generated by tsh config
, ssh
to agentless nodes on a remote cluster fails known hosts check
#42252
Labels
tsh config
, ssh
to agentless nodes on a remote cluster fails known hosts check
#42252
Expected behavior:
When a node on a remote (leaf) cluster is joined per our Agentless OpenSSH guide, connection attempts using the regular
ssh
client should work without additional TOFU prompts to trust the remote host.Current behavior:
SSH to Teleport nodes on the root cluster, agentless nodes on the root cluster, and Teleport nodes on the leaf cluster all work as expected.
However, agentless nodes on the leaf cluster do not match any CAs listed in the generated
~/.tsh/known_hosts
and trigger a TOFU check. You can still connect, however the RSA fingerprint changes on every connection, so subsequent connection attempts will fail until the entry is removed:Connecting directly to the leaf cluster with
tsh login --proxy=teleport-leaf.ethernet.fyi:443
and regenerating the config withtsh config > ~/.ssh/tsh_config
works as expected, so this only impacts remote clusters.The
~/.tsh/known_hosts
contains the following:SSH client debug log
Bug details:
The text was updated successfully, but these errors were encountered: