Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Implement ProxyJump compatibility #2543

Closed
kontsevoy opened this issue Feb 4, 2019 · 5 comments
Closed

Implement ProxyJump compatibility #2543

kontsevoy opened this issue Feb 4, 2019 · 5 comments
Assignees
@klizhentas
Milestone
4.1 "Seattle"

Comments

@kontsevoy
Copy link
Contributor

kontsevoy commented Feb 4, 2019
edited
Loading

Introduction

OpenSSH 7.3 introduced a very convenient way to deal with bastion hosts by adding an option called ProxyJump. See some examples here.

Currently a Teleport proxy cannot be used with ProxyJump. Adding support for this would make OpenSSH clients much easier to use.

Proposal

Adding something to like this to ~/.ssh/config should work:

Host telenode
    port 3022

    # new syntax:
    ProxyJump proxy.example.com.com:3023
    
    # old syntax:
    # ProxyCommand ssh -p 3023 %r@proxy.example.com -s proxy:%h:%p

Passing -J to OpenSSH client (ssh) should work:

$ ssh -J proxy.example.com:3023 telenode

New Flag

If you think about it, -J CLI flag for OpenSSH client is exactly what tsh --proxy is. Therefore let's add -J support to tsh as well, because it's an equivalent of --proxy, in other words this should work too:

$ tsh ssh -J proxy.example.com telenode

... and tsh --help should say, among other things:

$ tsh ssh --help
Flags:
  -J, --proxy               SSH proxy address

Backward Comp

Obviously the legacy ProxyCommand support should continue to work.

Better error handling on Proxy side

Currently if you attempt to use ProxyJump with Teleport 3.1-alpha you get:

$ ssh -J proxy.example.com:3023 telenode
channel 0: open failed: unknown channel type: unknown channel type: direct-tcpip
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host

BTW fixing that error message (it's duplicated) would also be nice, ideally an error like this should say that it's coming from a proxy, not the node (or auth) so it would be easier to debug/troubleshoot:

$ some-kind-of-command-that-causes-proxy-error
Teleport proxy: unknown channel type 'direct-tcpip'
ssh_exchange_identification: Connection closed by remote host
@kontsevoy
Copy link
Contributor Author

@klizhentas please review.

@klizhentas
Copy link
Contributor

For some reason I though that ProxyJump already works with Teleport, we should definitely support it. @russjones correctly noted though that proxy jump does not allow us to provide trusted cluster name as a parameter though, so it will work as a limited subset of what we have.

It also does not seem to be very high priority, so I propose to push this to later releases.

@kontsevoy
Copy link
Contributor Author

ProxyJump allows to take a list of arguments, i.e. a list of jump hosts, which we can use to select the trusted cluster. Since we're adding cluster metadata as well (for other purposes) the auth server should know the proxy URL of the trusted cluster for the next jump, hence this should work:

$ ssh -J proxy.example.com:3023,trusted.example.com:3023

@klizhentas
Copy link
Contributor

good point, I was not aware of that feature, let's schedule for implementation then some time after the "Pleasanton"

@donovan donovan mentioned this issue Apr 18, 2019
Open
@donovan
Copy link

donovan commented Apr 18, 2019

Hi.

Issue #2662 seems to be related to this issue. Thought it was worth pointing out that there is a use case that seems to rely on this functionality. Seems I can't provision EC2 instances using the terraform file or remote-exec provisioners when using a teleport proxy. This works fine when using a bastion running OpenSSH Server.

@klizhentas klizhentas added this to the 4.1 "Seattle" milestone May 8, 2019
@klizhentas klizhentas self-assigned this Jul 19, 2019
klizhentas added a commit that referenced this issue Jul 24, 2019
@klizhentas
Add support for ProxyJump.
85c159c 
This commit implements #2543

In SSH terms ProxyJump is a shortcut for SSH client
connecting the proxy/jumphost and requesting .port forwarding to the
target node.

This commit adds support for direct-tcpip request support
in teleport proxy service that is an alias to the existing proxy
subsystem and reuses most of the code.

This commit also adds support to "route to cluster" metadata
encoded in SSH certificate making it possible to have client
SSH certificates to include the metadata that will cause the proxy
to route the client requests to a specific cluster.

`tsh ssh -J proxy:port ` is supported in a limited way:

Only one jump host is supported (-J supports chaining
that teleport does not utilise) and tsh will return with error
in case of two jumphosts: -J a,b will not work.

In case if `tsh ssh -J user@proxy` is used, it overrides
the SSH proxy coming from the tsh profile and port-forwarding
is used instead of the existing teleport proxy subsystem
@klizhentas klizhentas mentioned this issue Jul 24, 2019
Merged
klizhentas added a commit that referenced this issue Jul 25, 2019
@klizhentas
Add support for ProxyJump.
9e22f5e 
This commit implements #2543

In SSH terms ProxyJump is a shortcut for SSH client
connecting the proxy/jumphost and requesting .port forwarding to the
target node.

This commit adds support for direct-tcpip request support
in teleport proxy service that is an alias to the existing proxy
subsystem and reuses most of the code.

This commit also adds support to "route to cluster" metadata
encoded in SSH certificate making it possible to have client
SSH certificates to include the metadata that will cause the proxy
to route the client requests to a specific cluster.

`tsh ssh -J proxy:port ` is supported in a limited way:

Only one jump host is supported (-J supports chaining
that teleport does not utilise) and tsh will return with error
in case of two jumphosts: -J a,b will not work.

In case if `tsh ssh -J user@proxy` is used, it overrides
the SSH proxy coming from the tsh profile and port-forwarding
is used instead of the existing teleport proxy subsystem
klizhentas added a commit that referenced this issue Jul 26, 2019
@klizhentas
Add support for ProxyJump.
838e754 
This commit implements #2543

In SSH terms ProxyJump is a shortcut for SSH client
connecting the proxy/jumphost and requesting .port forwarding to the
target node.

This commit adds support for direct-tcpip request support
in teleport proxy service that is an alias to the existing proxy
subsystem and reuses most of the code.

This commit also adds support to "route to cluster" metadata
encoded in SSH certificate making it possible to have client
SSH certificates to include the metadata that will cause the proxy
to route the client requests to a specific cluster.

`tsh ssh -J proxy:port ` is supported in a limited way:

Only one jump host is supported (-J supports chaining
that teleport does not utilise) and tsh will return with error
in case of two jumphosts: -J a,b will not work.

In case if `tsh ssh -J user@proxy` is used, it overrides
the SSH proxy coming from the tsh profile and port-forwarding
is used instead of the existing teleport proxy subsystem
@benarent benarent mentioned this issue Jul 30, 2019
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@klizhentas klizhentas

Labels
None yet
Projects
None yet
Milestone
4.1 "Seattle"
Development

No branches or pull requests
3 participants
@klizhentas @donovan @kontsevoy