You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a brief background; our organisation is currently evaluating Teleport as a potential access management solution for both SSH and Kubernetes. In the context of this ticket, two of Teleport's features are essential to us:
Per-session MFA challenge for some servers, to mitigate the risk of malicious scripts running on client machines by checking for user-presence through U2F hardware
Recording Proxy mode using proxy-sync, as we need to prevent potential attackers who are logged into privileged system users via SSH from tempering with SSH session recordings
We've tested the following on both Teleport 7.3.2 and the current Teleport 8 alpha (master branch).
What happened:
With Teleport running inside Kubernetes, the Teleport Auth configuration looks like this:
Proxy and Node configurations are essentially the default values after auth references are configured, but let me know if seeing them would be helpful.
After configuring local users through Teleport Auth server and registering their MFA tokens with tsh mfa add, we then set a role for the user to require per-session MFA:
Using the local user, we then validate that MFA challenges should be working correctly through Kubernetes access via teleport-proxy:
root@test-VirtualBox:/mnt/Downloads/teleport# ./tsh --insecure -d kube credentials --teleport-cluster=<redacted> --kube-cluster=<redacted>
INFO [CLIENT] no host login given. defaulting to root client/api.go:1071
ERRO [CLIENT] [KEY AGENT] Unable to connect to SSH agent on socket: "". client/api.go:2884
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<redacted>/<redacted>-x509.pem" valid until "2021-11-04 02:41:21 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/<redacted>/<redacted>-ssh/<redacted>-cert.pub". client/keystore.go:303
INFO [KEYAGENT] Loading SSH key for user "<redacted>" and cluster "<redacted>". client/keyagent.go:179
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<redacted>/<redacted>-x509.pem" valid until "2021-11-04 02:41:21 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/<redacted>/<redacted>-kube/<redacted>". client/keystore.go:303
DEBU [TSH] Requesting TLS cert for kubernetes cluster "<redacted>" tsh/kube.go:104
INFO [CLIENT] Connecting proxy=<redacted>:3023 login="core" client/api.go:2111
DEBU [KEYAGENT] "Checking key: <host ssh cert omitted>\n." client/keyagent.go:337
DEBU [KEYAGENT] Validated host <redacted>:3023. client/keyagent.go:343
INFO [CLIENT] Successful auth with proxy <redacted>:3023. client/api.go:2118
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<redacted>/<redacted>-x509.pem" valid until "2021-11-04 02:41:21 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/<redacted>/<redacted>-ssh/<redacted>-cert.pub". client/keystore.go:303
DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/<redacted>/<redacted>-kube/<redacted>". client/keystore.go:303
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<redacted>/<redacted>-x509.pem" valid until "2021-11-04 02:41:21 +0000 UTC". client/keystore.go:280
DEBU [CLIENT] Client is connecting to auth server on cluster "<redacted>". client/client.go:820
DEBU [CLIENT] Attempting to issue a single-use user certificate with an MFA check. client/client.go:377
Tap any security key
DEBU [CLIENT] WebAuthn: prompting U2F devices with origin "https://<redacted>:3080" client/mfa.go:110
DEBU [CLIENT] Issued single-use user certificate after an MFA check. client/client.go:445
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<redacted>/<redacted>-x509.pem" valid until "2021-11-04 02:41:21 +0000 UTC". client/keystore.go:280
INFO [KEYAGENT] Loading SSH key for user "<redacted>" and cluster "<redacted>". client/keyagent.go:179
{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"expirationTimestamp":"2021-11-03T15:31:17Z","clientCertificateData":"-----BEGIN CERTIFICATE-----\nMIIE<omitted>
We then attempt to do the same with SSH access:
root@test-VirtualBox:/mnt/Downloads/teleport# ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-dcKRcK7foYm3/agent.1761; export SSH_AUTH_SOCK;
SSH_AGENT_PID=1762; export SSH_AGENT_PID;
echo Agent pid 1762;
root@test-VirtualBox:/mnt/Downloads/teleport# SSH_AUTH_SOCK=/tmp/ssh-dcKRcK7foYm3/agent.1761; export SSH_AUTH_SOCK;
root@test-VirtualBox:/mnt/Downloads/teleport# ssh-add -L
The agent has no identities.
root@test-VirtualBox:/mnt/Downloads/teleport# ./tsh --insecure -d ssh -A core@10.xxx.xx.xxx
INFO [CLIENT] [KEY AGENT] Connected to the system agent: "/tmp/ssh-dcKRcK7foYm3/agent.1761" client/api.go:2888
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 03:48:52 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-ssh/<teleport-cluster-name>-cert.pub". client/keystore.go:303
INFO [KEYAGENT] Loading SSH key for user "<username>" and cluster "<teleport-cluster-name>". client/keyagent.go:179
INFO [CLIENT] Connecting proxy=<teleport-cluster-hostname>:3023 login="core" client/api.go:2111
DEBU [KEYAGENT] "Checking key: ssh-rsa-cert-v01@openssh.com <host-ssh-cert>\n." client/keyagent.go:337
DEBU [KEYAGENT] Validated host <teleport-cluster-hostname>:3023. client/keyagent.go:343
INFO [CLIENT] Successful auth with proxy <teleport-cluster-hostname>:3023. client/api.go:2118
DEBU [CLIENT] Found clusters: [{"name":"<teleport-cluster-name>","lastconnected":"2021-11-03T15:49:27.965647308Z","status":"online"}] client/client.go:110
INFO [CLIENT] Client= connecting to node=10.xxx.xx.xxx on cluster <teleport-cluster-name> client/client.go:925
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 03:48:52 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 03:48:52 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-ssh/<teleport-cluster-name>-cert.pub". client/keystore.go:303
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 03:48:52 +0000 UTC". client/keystore.go:280
DEBU [CLIENT] Client is connecting to auth server on cluster "<teleport-cluster-name>". client/client.go:820
DEBU [CLIENT] Attempting to issue a single-use user certificate with an MFA check. client/client.go:377
Tap any security key
DEBU [CLIENT] WebAuthn: prompting U2F devices with origin "https://<teleport-cluster-hostname>:3080" client/mfa.go:110
DEBU [CLIENT] Issued single-use user certificate after an MFA check. client/client.go:445
DEBU [KEYAGENT] "Checking key: ssh-rsa-cert-v01@openssh.com <host-ssh-cert>\n." client/keyagent.go:337
DEBU [KEYAGENT] Validated host 10.xxx.xx.xxx:0@default@<teleport-cluster-name>. client/keyagent.go:343
DEBU [CLIENT] Activating relogin on ssh: rejected: connect failed (ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain). client/api.go:484
DEBU [CLIENT] not using loopback pool for remote proxy addr: <teleport-cluster-hostname>:3080 client/api.go:2849
DEBU Attempting GET <teleport-cluster-hostname>:3080/webapi/ping webclient/webclient.go:62
Enter password for Teleport user <username>:
root@test-VirtualBox:/mnt/Downloads/teleport#
root@test-VirtualBox:/mnt/Downloads/teleport# ssh-add -L
ssh-rsa-cert-v01@openssh.com <client-ssh-cert> teleport:<username>
ssh-rsa <client-public-key> teleport:<username>
It appears that Teleport Auth server has correctly notified the tsh client that it needs to perform an MFA verification for the SSH session, and tsh indeed requested a U2F challenge and sent the resulting signature back. A single-use certificate for connecting to the target node was issued by Teleport Auth Server. But the client then hit an auth error when performing the SSH connecting, resulting in an automatic relogin retry, which will still fail. The Teleport Auth logs during the process looks like this:
2021-11-03T15:49:17Z DEBU [AUTH] ClientCertPool -> cert(<teleport-cluster-name> issued by <teleport-cluster-name>:328076472922566416763873844844104889916) auth/middleware.go:619
2021-11-03T15:49:17Z DEBU [AUTH] ClientCertPool -> cert(<teleport-cluster-name> issued by <teleport-cluster-name>:207881821661131457649328474509369657414) auth/middleware.go:619
2021-11-03T15:49:17Z DEBU [AUTH:1] Server certificate cert(51fb11fc-9576-47e6-b2fd-a47e6376cb3f.<teleport-cluster-name> issued by <teleport-cluster-name>:328076472922566416763873844844104889916). auth/middleware.go:300
2021-11-03T15:49:17Z DEBU [RBAC] Access to node "7d42512b-1dcf-4e1c-8601-9c6e203c4db9" denied, role "test-admin" requires per-session MFA services/role.go:1669
2021-11-03T15:49:17Z DEBU [DYNAMODB] Got 1 new stream shard records. dynamo/shards.go:231
2021-11-03T15:49:18Z DEBU [DYNAMODB] Got 1 new stream shard records. dynamo/shards.go:231
2021-11-03T15:49:19Z DEBU [KEYGEN] generated user key for [core] with expiry on (1635954619) 2021-11-03 15:50:19.488529592 +0000 UTC native/native.go:256
2021-11-03T15:49:19Z INFO [CA] Generating TLS certificate {0x720f790 0xc00120c180 1.3.9999.1.9=<client-ip-hash>,1.3.9999.1.8=#132466643236323761352d336365332d343037622d613264622d323862386436363462363964,1.3.9999.1.7=<teleport-cluster-name-hex>,1.3.9999.1.3=<kubernetes-cluster-name-hex>,1.3.9999.1.2=<kubernetes-cluster-role-hex>,CN=<username>,O=test-admin,POSTALCODE={\"kubernetes_groups\":[\"\"]\,\"kubernetes_users\":[\"\"]\,\"logins\":[\"core\"]},STREET=<teleport-cluster-name>,L=core,ST=system:masters 2021-11-03 15:50:17.848250184 +0000 UTC [] [] 5 []}. common_name:<username> dns_names:[] locality:[core] not_after:2021-11-03 15:50:17.848250184 +0000 UTC org:[test-admin] org_unit:[] tlsca/ca.go:650
2021-11-03T15:49:19Z DEBU [KEYGEN] Generated SSH host certificate for role Node with principals: [10.xxx.xx.xxx.<teleport-cluster-name> 10.xxx.xx.xxx localhost 127.0.0.1 ::1 7d42512b-1dcf-4e1c-8601-9c6e203c4db9.<teleport-cluster-name>]. native/native.go:231
2021-11-03T15:49:19Z DEBU [DYNAMODB] Got 2 new stream shard records. dynamo/shards.go:231
2021-11-03T15:49:20Z INFO [AUDIT] auth addr.local:10.xxx.xx.xxx:3022 addr.remote:<client-ip>:44742 cluster_name:<teleport-cluster-name> code:T3007W ei:0 error:[user <username>@<teleport-cluster-name> is not authorized to login as core@<teleport-cluster-name>: access to resource requires MFA] event:auth login:core success:false time:2021-11-03T15:49:20.407Z uid:e272c7a6-090c-44bc-88fe-6d44c1861699 user:<username> events/emitter.go:324
From server logs, the 1.3.9999.1.8 field (MFAVerified) expected by the RBAC authorizer in Teleport Auth server seems to be present in the single use certificates issued to the client; but in recording proxy mode the client seems to hit a public key auth failure regardless; without further logs we are not able to determine where this failure happened, and this behaviour does not seem to have been documented explicitly for the proxy recording mode in https://goteleport.com/docs/architecture/proxy/#recording-proxy-mode.
We repeated the above test without -A agent forwarding flag for tsh ssh, and the same errors happened.
Logs from the Teleport Node server that is the target of the SSH connection show the following:
2021-11-03T18:01:24Z ERRO [NODE] Permission denied: user <username>@<teleport-cluster-name> is not authorized to login as core@<teleport-cluster-name>: access to resource requires MFA fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:deW4Cb3SI+YVq2BZ5BZDhDFgkE8UVjcsdKxIiRbtFw0 local:10.xxx.xx.xxx:3022 remote:<client-ip>:36548 user:core srv/authhandlers.go:309
2021-11-03T18:01:24Z INFO [AUDIT] auth addr.local:10.xxx.xx.xxx:3022 addr.remote:<client-ip>:36548 code:T3007W ei:0 error:[user <username>@<teleport-cluster-name> is not authorized to login as core@<teleport-cluster-name>: access to resource requires MFA] event:auth login:core success:false time:2021-11-03T18:01:24.248Z uid:475bcdce-ca38-4468-adce-91e17a161811 user:<username> events/emitter.go:324
(captured from a later attempt)
There seems to be nothing relevant in logs of Teleport Proxy servers.
What you expected to happen:
When we switch the above Teleport Auth server config from session_recording: 'proxy-sync' to session_recording: 'node-sync', per-session MFA seems to work as expected:
root@test-VirtualBox:/mnt/Downloads/teleport# ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-TI1IakNBcnmC/agent.2468; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2469; export SSH_AGENT_PID;
echo Agent pid 2469;
root@test-VirtualBox:/mnt/Downloads/teleport# SSH_AUTH_SOCK=/tmp/ssh-TI1IakNBcnmC/agent.2468; export SSH_AUTH_SOCK;
root@test-VirtualBox:/mnt/Downloads/teleport# ./tsh -d ssh -A core@10.xxx.xx.xxx
INFO [CLIENT] [KEY AGENT] Connected to the system agent: "/tmp/ssh-TI1IakNBcnmC/agent.2468" client/api.go:2888
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 05:28:13 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-ssh/<teleport-cluster-name>-cert.pub". client/keystore.go:303
INFO [KEYAGENT] Loading SSH key for user "<username>" and cluster "<teleport-cluster-name>". client/keyagent.go:179
INFO [CLIENT] Connecting proxy=<teleport-cluster-hostname>:3023 login="core" client/api.go:2111
DEBU [KEYAGENT] "Checking key: ssh-rsa-cert-v01@openssh.com <host-ssh-cert>\n." client/keyagent.go:337
DEBU [KEYAGENT] Validated host <teleport-cluster-hostname>:3023. client/keyagent.go:343
INFO [CLIENT] Successful auth with proxy <teleport-cluster-hostname>:3023. client/api.go:2118
DEBU [CLIENT] Found clusters: [{"name":"<teleport-cluster-name>","lastconnected":"2021-11-03T17:29:07.449220691Z","status":"online"}] client/client.go:110
INFO [CLIENT] Client= connecting to node=10.xxx.xx.xxx on cluster <teleport-cluster-name> client/client.go:925
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 05:28:13 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 05:28:13 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-ssh/<teleport-cluster-name>-cert.pub". client/keystore.go:303
DEBU [KEYSTORE] Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 05:28:13 +0000 UTC". client/keystore.go:280
DEBU [CLIENT] Client is connecting to auth server on cluster "<teleport-cluster-name>". client/client.go:820
DEBU [CLIENT] Attempting to issue a single-use user certificate with an MFA check. client/client.go:377
Tap any security key
DEBU [CLIENT] WebAuthn: prompting U2F devices with origin "https://<teleport-cluster-hostname>:3080" client/mfa.go:110
DEBU [CLIENT] Issued single-use user certificate after an MFA check. client/client.go:445
DEBU [KEYAGENT] "Checking key: ssh-rsa-cert-v01@openssh.com <host-ssh-cert>\n." client/keyagent.go:337
DEBU [KEYAGENT] Validated host 10.xxx.xx.xxx:0@default@<teleport-cluster-name>. client/keyagent.go:343
DEBU [CLIENT] Selecting system key agent. client/session.go:223
DEBU [CLIENT] Forwarding Selected Key Agent client/session.go:204
core@ip-10-xxx-xx-xxx ~ $ ls
and on server side:
2021-11-03T17:29:07Z DEBU [AUTH] ClientCertPool -> cert(<teleport-cluster-name> issued by <teleport-cluster-name>:328076472922566416763873844844104889916) auth/middleware.go:619
2021-11-03T17:29:07Z DEBU [AUTH] ClientCertPool -> cert(<teleport-cluster-name> issued by <teleport-cluster-name>:207881821661131457649328474509369657414) auth/middleware.go:619
2021-11-03T17:29:07Z DEBU [AUTH:1] Server certificate cert(6870e45f-4966-46db-a35b-5e6f3fe08dd2.<teleport-cluster-name> issued by <teleport-cluster-name>:328076472922566416763873844844104889916). auth/middleware.go:300
2021-11-03T17:29:07Z DEBU [RBAC] Access to node "7d42512b-1dcf-4e1c-8601-9c6e203c4db9" denied, role "test-admin" requires per-session MFA services/role.go:1669
2021-11-03T17:29:08Z DEBU [DYNAMODB] Got 1 new stream shard records. dynamo/shards.go:231
2021-11-03T17:29:10Z DEBU [KEYGEN] generated user key for [core] with expiry on (1635960610) 2021-11-03 17:30:10.188318167 +0000 UTC native/native.go:256
2021-11-03T17:29:10Z INFO [CA] Generating TLS certificate {0x720f790 0xc0010902c0 1.3.9999.1.9=<client-ip-hex>,1.3.9999.1.8=#132466643236323761352d336365332d343037622d613264622d323862386436363462363964,1.3.9999.1.7=<teleport-cluster-name-hex>,1.3.9999.1.3=<kubernetes-cluster-name-hex>,1.3.9999.1.2=<kubernetes-cluster-role-hex,CN=<username>,O=test-admin,POSTALCODE={\"kubernetes_groups\":[\"\"]\,\"kubernetes_users\":[\"\"]\,\"logins\":[\"core\"]},STREET=<teleport-cluster-name>,L=core,ST=system:masters 2021-11-03 17:30:07.978296874 +0000 UTC [] [] 5 []}. common_name:<username> dns_names:[] locality:[core] not_after:2021-11-03 17:30:07.978296874 +0000 UTC org:[test-admin] org_unit:[] tlsca/ca.go:650
(...)
2021-11-03T17:29:11Z INFO [AUDIT] session.start addr.local:10.xxx.xx.xxx:3022 addr.remote:<client-ip>:54562 cluster_name:<teleport-cluster-name> code:T2000I ei:0 event:session.start login:core namespace:default server_addr:10.xxx.xx.xxx:3022 server_hostname:10.xxx.xx.xxx server_id:7d42512b-1dcf-4e1c-8601-9c6e203c4db9 server_labels:map[role:<redacted>] session_recording:node-sync sid:079bf380-dc7d-425c-ad58-33dcc3cde7e1 size:80:24 time:2021-11-03T17:29:11.68Z uid:5050747a-cad0-489e-a78f-1ad982e62e05 user:<username> events/emitter.go:324
We would have expected this to work the same way on recording proxy mode.
Reproduction Steps
As minimally and precisely as possible, describe step-by-step how to reproduce the problem.
Enable MFA in Teleport 7.3.2 or Teleport 8 alpha
Enable Recording Proxy mode with session_recording: 'proxy-sync'
Verify that Kubernetes service works as expected after MFA challenge
Observe that SSH service fails to work as expected after MFA challenge
Server Details
Teleport version (run teleport version): both Teleport 7.3.2 and Teleport 8 alpha (built from master branch at time of writing, Teleport v8.0.0-alpha.1 git:v8.0.0-alpha.1-142-g89a08c439 go1.17.2), the logs above are captured from Teleport 8.
Server OS (e.g. from /etc/os-release): Flatcar Container Linux 2512
Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware): Kubernetes on AWS
Additional details:
Client Details
Tsh version (tsh version): both Teleport 7.3.2 and Teleport 8 beta (master branch at time of writing), the logs above are captured from Teleport 8 client (Teleport v8.0.0-beta.2 git:v8.0.0-beta.2-0-g8383bdaeb go1.17.2)
Computer OS (e.g. Linux, macOS, Windows): Same issues observed on macOS 11.6 and the Ubuntu 20.04 Desktop client seen in above logs
Browser version (for UI-related issues): web UI not used
Installed via (e.g. apt, yum, brew, website download): website download
Additional details:
Debug Logs
Please include or attach debug logs, when appropriate. Obfuscate sensitive information!
Start Teleport with --debug flag (teleport --debug)
Run tsh with --debug flag (tsh --debug)
Included in behaviour sections above.
Please let me know if you need further information, thank you.
The text was updated successfully, but these errors were encountered:
Description
As a brief background; our organisation is currently evaluating Teleport as a potential access management solution for both SSH and Kubernetes. In the context of this ticket, two of Teleport's features are essential to us:
proxy-sync
, as we need to prevent potential attackers who are logged into privileged system users via SSH from tempering with SSH session recordingsWe've tested the following on both Teleport 7.3.2 and the current Teleport 8 alpha (master branch).
What happened:
With Teleport running inside Kubernetes, the Teleport Auth configuration looks like this:
Proxy and Node configurations are essentially the default values after auth references are configured, but let me know if seeing them would be helpful.
After configuring local users through Teleport Auth server and registering their MFA tokens with
tsh mfa add
, we then set a role for the user to require per-session MFA:Using the local user, we then validate that MFA challenges should be working correctly through Kubernetes access via
teleport-proxy
:We then attempt to do the same with SSH access:
It appears that Teleport Auth server has correctly notified the
tsh
client that it needs to perform an MFA verification for the SSH session, andtsh
indeed requested a U2F challenge and sent the resulting signature back. A single-use certificate for connecting to the target node was issued by Teleport Auth Server. But the client then hit an auth error when performing the SSH connecting, resulting in an automatic relogin retry, which will still fail. The Teleport Auth logs during the process looks like this:From server logs, the
1.3.9999.1.8
field (MFAVerified
) expected by the RBAC authorizer in Teleport Auth server seems to be present in the single use certificates issued to the client; but in recording proxy mode the client seems to hit a public key auth failure regardless; without further logs we are not able to determine where this failure happened, and this behaviour does not seem to have been documented explicitly for the proxy recording mode in https://goteleport.com/docs/architecture/proxy/#recording-proxy-mode.We repeated the above test without
-A
agent forwarding flag fortsh ssh
, and the same errors happened.Logs from the Teleport Node server that is the target of the SSH connection show the following:
(captured from a later attempt)
There seems to be nothing relevant in logs of Teleport Proxy servers.
What you expected to happen:
When we switch the above Teleport Auth server config from
session_recording: 'proxy-sync'
tosession_recording: 'node-sync'
, per-session MFA seems to work as expected:and on server side:
We would have expected this to work the same way on recording proxy mode.
Reproduction Steps
As minimally and precisely as possible, describe step-by-step how to reproduce the problem.
session_recording: 'proxy-sync'
Server Details
teleport version
): both Teleport 7.3.2 and Teleport 8 alpha (built from master branch at time of writing, Teleport v8.0.0-alpha.1 git:v8.0.0-alpha.1-142-g89a08c439 go1.17.2), the logs above are captured from Teleport 8./etc/os-release
): Flatcar Container Linux 2512Client Details
tsh version
): both Teleport 7.3.2 and Teleport 8 beta (master branch at time of writing), the logs above are captured from Teleport 8 client (Teleport v8.0.0-beta.2 git:v8.0.0-beta.2-0-g8383bdaeb go1.17.2)Debug Logs
Please include or attach debug logs, when appropriate. Obfuscate sensitive information!
teleport --debug
)tsh --debug
)Included in behaviour sections above.
Please let me know if you need further information, thank you.
The text was updated successfully, but these errors were encountered: