[v12] Machine ID tbot FIPS Support

lib/tbot/config/config.go

@@ -31,6 +31,7 @@ import (
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/utils"
 )
 
@@ -151,6 +152,14 @@ type CLIConf struct {
 	// RemainingArgs is the remaining string arguments for commands that
 	// require them.
 	RemainingArgs []string
+
+	// FIPS instructs `tbot` to run in a mode designed to comply with FIPS
+	// regulations. This means the bot should:
+	// - Refuse to run if not compiled with boringcrypto
+	// - Use FIPS relevant endpoints for cloud providers (e.g AWS)
+	// - Restrict TLS / SSH cipher suites and TLS version
+	// - RSA2048 should be used for private key generation
+	FIPS bool
 }
 
 // AzureOnboardingConfig holds configuration relevant to the "azure" join method.
@@ -227,6 +236,20 @@ type BotConfig struct {
 	CertificateTTL  time.Duration `yaml:"certificate_ttl"`
 	RenewalInterval time.Duration `yaml:"renewal_interval"`
 	Oneshot         bool          `yaml:"oneshot"`
+	// FIPS instructs `tbot` to run in a mode designed to comply with FIPS
+	// regulations. This means the bot should:
+	// - Refuse to run if not compiled with boringcrypto
+	// - Use FIPS relevant endpoints for cloud providers (e.g AWS)
+	// - Restrict TLS / SSH cipher suites and TLS version
+	// - RSA2048 should be used for private key generation
+	FIPS bool `yaml:"fips"`
+}
+
+func (conf *BotConfig) CipherSuites() []uint16 {
+	if conf.FIPS {
+		return defaults.FIPSCipherSuites
+	}
+	return utils.DefaultCipherSuites()
 }
 
 func (conf *BotConfig) CheckAndSetDefaults() error {
@@ -438,6 +461,10 @@ func FromCLIConf(cf *CLIConf) (*BotConfig, error) {
 		config.Onboarding.SetToken(cf.Token)
 	}
 
+	if cf.FIPS {
+		config.FIPS = cf.FIPS
+	}
+
 	if err := config.CheckAndSetDefaults(); err != nil {
 		return nil, trace.Wrap(err, "validating merged bot config")
 	}

lib/tbot/identity/identity.go

@@ -33,6 +33,7 @@ import (
 	apiutils "github.com/gravitational/teleport/api/utils"
 	"github.com/gravitational/teleport/api/utils/keys"
 	apisshutils "github.com/gravitational/teleport/api/utils/sshutils"
+	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/tbot/bot"
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
@@ -228,23 +229,33 @@ func (i *Identity) getSSHCheckers() ([]ssh.PublicKey, error) {
 
 // SSHClientConfig returns a ssh.ClientConfig used by the bot to connect to
 // the reverse tunnel server.
-func (i *Identity) SSHClientConfig() (*ssh.ClientConfig, error) {
+func (i *Identity) SSHClientConfig(fips bool) (*ssh.ClientConfig, error) {
 	callback, err := apisshutils.NewHostKeyCallback(
 		apisshutils.HostKeyCallbackConfig{
 			GetHostCheckers: i.getSSHCheckers,
+			FIPS:            fips,
 		})
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 	if len(i.SSHCert.ValidPrincipals) < 1 {
 		return nil, trace.BadParameter("user cert has no valid principals")
 	}
-	return &ssh.ClientConfig{
+	config := &ssh.ClientConfig{
 		User:            i.SSHCert.ValidPrincipals[0],
 		Auth:            []ssh.AuthMethod{ssh.PublicKeys(i.KeySigner)},
 		HostKeyCallback: callback,
 		Timeout:         apidefaults.DefaultIOTimeout,
-	}, nil
+	}
+	if fips {
+		config.Config = ssh.Config{
+			KeyExchanges: defaults.FIPSKEXAlgorithms,
+			MACs:         defaults.FIPSMACAlgorithms,
+			Ciphers:      defaults.FIPSCiphers,
+		}
+	}
+
+	return config, nil
 }
 
 // ReadIdentityFromStore reads stored identity credentials

lib/tbot/renew.go

@@ -75,12 +75,12 @@ func (b *Bot) AuthenticatedUserClientFromIdentity(ctx context.Context, id *ident
 		return nil, trace.BadParameter("auth client requires a fully formed identity")
 	}
 
-	tlsConfig, err := id.TLSConfig(nil /* cipherSuites */)
+	tlsConfig, err := id.TLSConfig(b.cfg.CipherSuites())
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
 
-	sshConfig, err := id.SSHClientConfig()
+	sshConfig, err := id.SSHClientConfig(b.cfg.FIPS)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}
@@ -473,6 +473,8 @@ func (b *Bot) getIdentityFromToken() (*identity.Identity, error) {
 		GetHostCredentials: client.HostCredentials,
 		JoinMethod:         b.cfg.Onboarding.JoinMethod,
 		Expires:            &expires,
+		FIPS:               b.cfg.FIPS,
+		CipherSuites:       b.cfg.CipherSuites(),
 	}
 	if params.JoinMethod == types.JoinMethodAzure {
 		params.AzureParams = auth.AzureParams{

lib/tbot/tbot.go

@@ -33,6 +33,7 @@ import (
 	"github.com/gravitational/teleport/api/client/webclient"
 	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/auth"
+	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/tbot/config"
 	"github.com/gravitational/teleport/lib/tbot/identity"
 	"github.com/gravitational/teleport/lib/utils"
@@ -42,6 +43,7 @@ type Bot struct {
 	cfg        *config.BotConfig
 	log        logrus.FieldLogger
 	reloadChan chan struct{}
+	modules    modules.Modules
 
 	// These are protected by getter/setters with mutex locks
 	mu         sync.Mutex
@@ -62,6 +64,7 @@ func New(cfg *config.BotConfig, log logrus.FieldLogger, reloadChan chan struct{}
 		cfg:        cfg,
 		log:        log,
 		reloadChan: reloadChan,
+		modules:    modules.GetModules(),
 
 		_cas: map[types.CertAuthType][]types.CertAuthority{},
 	}
@@ -266,6 +269,14 @@ func (b *Bot) initialize(ctx context.Context) (func() error, error) {
 		)
 	}
 
+	if b.cfg.FIPS {
+		if !b.modules.IsBoringBinary() {
+			b.log.Error("FIPS mode enabled but FIPS compatible binary not in use. Ensure you are using the Enterprise FIPS binary to use this flag.")
+			return nil, trace.BadParameter("fips mode enabled but binary was not compiled with boringcrypto")
+		}
+		b.log.Info("Bot is running in FIPS compliant mode.")
+	}
+
 	// First, try to make sure all destinations are usable.
 	if err := checkDestinations(b.cfg); err != nil {
 		return nil, trace.Wrap(err)

operator/sidecar/tbot.go

@@ -137,7 +137,7 @@ func (b *Bot) GetClient(ctx context.Context) (auth.ClientI, error) {
 		return nil, trace.Wrap(err)
 	}
 
-	sshConfig, err := id.SSHClientConfig()
+	sshConfig, err := id.SSHClientConfig(false)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

tool/tbot/main.go

@@ -65,6 +65,7 @@ func Run(args []string, stdout io.Writer) error {
 	app := utils.InitCLIParser("tbot", appHelp).Interspersed(false)
 	app.Flag("debug", "Verbose logging to stdout.").Short('d').BoolVar(&cf.Debug)
 	app.Flag("config", "Path to a configuration file.").Short('c').StringVar(&cf.ConfigPath)
+	app.Flag("fips", "Runs tbot in FIPS compliance mode. This requires the FIPS binary is in use.").BoolVar(&cf.FIPS)
 	app.HelpFlag.Short('h')
 
 	joinMethodList := fmt.Sprintf(

tool/tbot/main_test.go

@@ -65,6 +65,7 @@ func TestRun_Configure(t *testing.T) {
 				"--oneshot",
 				"--certificate-ttl", "42m",
 				"--renewal-interval", "21m",
+				"--fips",
 			}...),
 		},
 	}

tool/tbot/testdata/TestRun_Configure/all_parameters_provided/file.golden

@@ -15,3 +15,4 @@ auth_server: example.com
 certificate_ttl: 42m0s
 renewal_interval: 21m0s
 oneshot: true
+fips: true

tool/tbot/testdata/TestRun_Configure/all_parameters_provided/stdout.golden

@@ -15,3 +15,4 @@ auth_server: example.com
 certificate_ttl: 42m0s
 renewal_interval: 21m0s
 oneshot: true
+fips: true

tool/tbot/testdata/TestRun_Configure/no_parameters_provided/file.golden

@@ -9,3 +9,4 @@ auth_server: ""
 certificate_ttl: 1h0m0s
 renewal_interval: 20m0s
 oneshot: false
+fips: false

tool/tbot/testdata/TestRun_Configure/no_parameters_provided/stdout.golden

@@ -9,3 +9,4 @@ auth_server: ""
 certificate_ttl: 1h0m0s
 renewal_interval: 20m0s
 oneshot: false
+fips: false