-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Machine ID: Switch to using new tbot ssh-proxy-command
by default.
#41482
Conversation
@@ -62,17 +63,27 @@ type ProxySSHConfig struct { | |||
// ProxySSH creates a local ssh proxy, dialing a node and transferring data through | |||
// stdin and stdout, to be used as an OpenSSH/PuTTY proxy command. | |||
func ProxySSH(ctx context.Context, proxyConfig ProxySSHConfig) error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rosstimothy - I've made some minor changes here, perhaps worth your attention...
@@ -21,6 +21,6 @@ Host *.tele.aperture.labs tele.blackmesa.gov | |||
# Flags for all tele.aperture.labs hosts except the proxy | |||
Host *.tele.aperture.labs !tele.blackmesa.gov | |||
Port 3022 | |||
ProxyCommand "/path/to/tbot" proxy --destination-dir=/test/dir --proxy-server=tele.blackmesa.gov:443 ssh --cluster=tele.aperture.labs %r@%h:%p | |||
ProxyCommand "/path/to/tbot" ssh-proxy-command --destination-dir=/test/dir --proxy-server=tele.blackmesa.gov:443 --cluster=tele.aperture.labs --tls-routing=true --connection-upgrade=false --resume=true --user=%r --host=%h --port=%p |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rosstimothy / @espadolini - double check that tI'm not missing anything here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks about right to me. Whats the story for proxy templates? Does that require humans to manually tweak the config?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah right now the answer is "Manually modify the file" - I wanted to keep this PR a manageable size. What I'll do in another PR is allow them to be configured directly within the tbot.yaml
and then they will be written to proxytemplates.yaml
in the output destination.
I'm going to manually test this against:
|
@@ -21,6 +21,6 @@ Host *.tele.aperture.labs tele.blackmesa.gov | |||
# Flags for all tele.aperture.labs hosts except the proxy | |||
Host *.tele.aperture.labs !tele.blackmesa.gov | |||
Port 3022 | |||
ProxyCommand "/path/to/tbot" proxy --destination-dir=/test/dir --proxy-server=tele.blackmesa.gov:443 ssh --cluster=tele.aperture.labs %r@%h:%p | |||
ProxyCommand "/path/to/tbot" ssh-proxy-command --destination-dir=/test/dir --proxy-server=tele.blackmesa.gov:443 --cluster=tele.aperture.labs --tls-routing=true --connection-upgrade=false --resume=true --user=%r --host=%h --port=%p |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks about right to me. Whats the story for proxy templates? Does that require humans to manually tweak the config?
Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com>
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
…avitational/teleport into strideynet/switch-to-new-ssh-proxying
Test against my local cluster (with a TLS terminating L7LB and TLS routing)
And using the
|
s = `'` + strings.ReplaceAll(s, `'`, `'"'"'`) + `'` | ||
// escape any percent signs which could trigger the percent expansion | ||
// for ProxyCommand. | ||
s = strings.ReplaceAll(s, `%`, `%%`) | ||
// escape any newlines which could impact the parsing of ssh_config | ||
s = strings.ReplaceAll(s, "\n", `'"\n"'`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we use safetext here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We couldn't find a sensible way to then go back and replace literal newlines with their escaped form with a shsprintf.DefaultWhatever
- which we need because we're trying to build a string that, when fed through openssh's config parsing, percent replacing and execution through a shell, results in the process we want being executed with the arguments that we want.
Tested against a Cloud tenant (TLS routing on, but no need for connection upgrade)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Working for me now!
@strideynet See the table below for backport results.
|
…41482) * Add warning to previous command * Hash out basics of new tbot proxying command use * Avoid passing full botConfig into `tbot ssh-proxy-command` * wip * simplify impl * Set up test suite for ssh config generation * Add support for checking if ALPNConnUpgrade is required * Cache the alpn upgrade result * Americanize Spellings * Update lib/tbot/config/template_ssh_client.go Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> * Add CHANGELOG.md entry for breaking change * Update tool/tbot/proxy.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Update lib/tbot/tbot.go Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com> * Switch to `--no` variants rather than `={bool}` * Use SingleFlight on alpn proxy upgrade cache * Improve singleflight * Add rudimentary shell quoting * Uniformly pad the templating * Rename shellQuote -> proxyCommandQuote * Fix imports --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
…41482) (#41694) * Add warning to previous command * Hash out basics of new tbot proxying command use * Avoid passing full botConfig into `tbot ssh-proxy-command` * wip * simplify impl * Set up test suite for ssh config generation * Add support for checking if ALPNConnUpgrade is required * Cache the alpn upgrade result * Americanize Spellings * Update lib/tbot/config/template_ssh_client.go * Add CHANGELOG.md entry for breaking change * Update tool/tbot/proxy.go * Update lib/tbot/tbot.go * Switch to `--no` variants rather than `={bool}` * Use SingleFlight on alpn proxy upgrade cache * Improve singleflight * Add rudimentary shell quoting * Uniformly pad the templating * Rename shellQuote -> proxyCommandQuote * Fix imports --------- Co-authored-by: rosstimothy <39066650+rosstimothy@users.noreply.github.com> Co-authored-by: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
Closes #28910
Switches the generated
ssh_config
to use the newssh-proxy-command
. Plans the deprecation of the old ssh proxy command to occur in v17. The new behavior is significantly more performant and less resource intense, and reduces the dependency ontsh
.The old behavior can be temporarily selected by setting
TBOT_SSH_CONFIG_PROXY_COMMAND_MODE=legacy
- this will be removed in v17.In addition, I've made some minor changes to the new command to avoid it depending so explicitly on the complete BotConfig.
I will backport this change to v15, but flip the behaviour so that this mode is opted-in to rather than the default. This will allow select users to switch to the new behavior without waiting for v16.
Associated with #41463
changelog: Switches the default SSH proxying mode in Machine ID to the newer, more performant, version. If you use Machine ID and OpenSSH, you may need to adjust your configuration, see https://goteleport.com/docs/machine-id/reference/v16-upgrade-guide/ for more information.