Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

SSH agent forwarding via Teleport is only respected for the first command in a session #3471

Closed
webvictim opened this issue Mar 24, 2020 · 0 comments · Fixed by #3613
Closed

SSH agent forwarding via Teleport is only respected for the first command in a session #3471

webvictim opened this issue Mar 24, 2020 · 0 comments · Fixed by #3613
Assignees
@fspmarshall
Labels
bug
Milestone
4.3 "Oceanside"

Comments

@webvictim
Copy link
Contributor

Description

What happened: When opening an SSH session and running multiple commands within the same transport using something like Ruby's Net::SSH channels, Teleport only forwards the SSH agent for the first command - the environment variables are not set (and the socket is not present) for subsequent commands.

What you expected to happen: The SSH agent should be available for all commands in a session when SSH agent forwarding is enabled.

How to reproduce it (as minimally and precisely as possible):

  • Set up a Teleport cluster (example.gravitational.co here)
  • Run tsh login example.gravitational.co
  • Set up your ~/.ssh/config file with an appropriate ProxyCommand:
Host hostname
    User username
    Port 3022
    ForwardAgent yes
    ProxyCommand ssh -p 3023 %r@example.gravitational.co -s proxy:%h:%p
  • install the net-ssh Ruby gem (on Fedora this is provided by running dnf install rubygem-net-ssh or gem install net-ssh)
  • save this Ruby script as test.rb and run it with ruby test.rb (update the hostname and username near the top for your own test cluster):
#!/usr/bin/env ruby
require 'rubygems'
require 'net/ssh'

Net::SSH.start('hostname','username',:forward_agent => true) do |ssh|
    stdout = ""
    stdout2 = ""

    puts "First run"
    ssh.exec!( "printenv | grep SSH" ) do |channel, stream, data|
        stdout << data if stream == :stdout
    end
    puts stdout

    puts "\n"
    puts "Second run"
    ssh.exec!( "printenv | grep SSH" ) do |channel2, stream2, data2|
        stdout2 << data2 if stream2 == :stdout
    end
    puts stdout2

    ssh.loop
end
  • Observe that the environment variables are different between the two runs - the first output has SSH_AUTH_SOCK and SSH_AGENT_PID set, the second does not:
First run
SSH_CONNECTION=1.2.3.4 37158 127.0.0.1 3022
SSH_AUTH_SOCK=/tmp/teleport-007586859/teleport-8.socket
SSH_TELEPORT_HOST_UUID=e2f9956f-232b-4135-8f4b-b8766ee5e04b
SSH_SESSION_WEBPROXY_ADDR=<proxyhost>:3080
SSH_AGENT_PID=8
SSH_CLIENT=1.2.3.4 37158 3022
SSH_TELEPORT_USER=example@gravitational.com
SSH_TELEPORT_CLUSTER_NAME=example.gravitational.co

Second run
SSH_CONNECTION=1.2.3.4 37158 127.0.0.1 3022
SSH_TELEPORT_HOST_UUID=e2f9956f-232b-4135-8f4b-b8766ee5e04b
SSH_SESSION_WEBPROXY_ADDR=<proxyhost>:3080
SSH_CLIENT=1.2.3.4 37158 3022
SSH_TELEPORT_USER=example@gravitational.com
SSH_TELEPORT_CLUSTER_NAME=example.gravitational.co

The Teleport logs also state that the agent is closing after this the first command: AgentServer(/tmp/teleport-007586859/teleport-8.socket) is closing teleagent/agent.go:104

Full logs here:

DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:GCISNRarhOyqoAdsTmEniX09ocLfncvobNzGPwTUH54 local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt with key ssh-rsa-cert-v01@openssh.com SHA256:GCISNRarhOyqoAdsTmEniX09ocLfncvobNzGPwTUH54, &ssh.Certificate{Nonce:[]uint8{0x7e, 0x1c, 0x54, 0x84, 0x5, 0x40, 0x84, 0x13, 0x98, 0xfb, 0x9d, 0x79, 0x5c, 0xd1, 0x23, 0xb6, 0x19, 0x49, 0xc1, 0xad, 0x1a, 0x29, 0x4b, 0xf0, 0x3e, 0x3f, 0xb8, 0x2a, 0xd9, 0xc8, 0xa4, 0x11}, Key:(*ssh.rsaPublicKey)(0xc001d50000), Serial:0x0, CertType:0x1, KeyId:"webvictim", ValidPrincipals:[]string{"example"}, ValidAfter:0x5e7a4404, ValidBefore:0x5e7aed00, Permissions:ssh.Permissions{CriticalOptions:map[string]string{}, Extensions:map[string]string{"permit-agent-forwarding":"", "permit-port-forwarding":"", "permit-pty":"", "teleport-roles":"{\"version\":\"v1\",\"roles\":[\"admin\"]}", "teleport-traits":"null"}}, Reserved:[]uint8{}, SignatureKey:(*ssh.rsaPublicKey)(0xc001d50050), Signature:(*ssh.Signature)(0xc00193d8c0)} fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:GCISNRarhOyqoAdsTmEniX09ocLfncvobNzGPwTUH54 local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
WARN [PROXY]     failed login attempt events.EventFields{"error":"ssh: certificate signed by unrecognized authority", "success":false, "user":"webvictim"} fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:GCISNRarhOyqoAdsTmEniX09ocLfncvobNzGPwTUH54 local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:173
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt fingerprint:ssh-rsa SHA256:7dc/iVLmiIn0auW6OAz2o+JDP/lbozrFvnFghjAA7us local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt with key ssh-rsa SHA256:7dc/iVLmiIn0auW6OAz2o+JDP/lbozrFvnFghjAA7us, (*ssh.Certificate)(nil) fingerprint:ssh-rsa SHA256:7dc/iVLmiIn0auW6OAz2o+JDP/lbozrFvnFghjAA7us local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     auth attempt, unsupported key type fingerprint:ssh-rsa SHA256:7dc/iVLmiIn0auW6OAz2o+JDP/lbozrFvnFghjAA7us local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:153
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt fingerprint:ssh-rsa SHA256:nFov11HBuu3xSIjwVJfQwVqGkQTeUTyTZm994HYO7Ls local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt with key ssh-rsa SHA256:nFov11HBuu3xSIjwVJfQwVqGkQTeUTyTZm994HYO7Ls, (*ssh.Certificate)(nil) fingerprint:ssh-rsa SHA256:nFov11HBuu3xSIjwVJfQwVqGkQTeUTyTZm994HYO7Ls local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     auth attempt, unsupported key type fingerprint:ssh-rsa SHA256:nFov11HBuu3xSIjwVJfQwVqGkQTeUTyTZm994HYO7Ls local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:153
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt fingerprint:ssh-rsa SHA256:/cDQr5adIiO2JPig9gmU0gxFUKjSF7hRL5mcr32qsmE local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt with key ssh-rsa SHA256:/cDQr5adIiO2JPig9gmU0gxFUKjSF7hRL5mcr32qsmE, (*ssh.Certificate)(nil) fingerprint:ssh-rsa SHA256:/cDQr5adIiO2JPig9gmU0gxFUKjSF7hRL5mcr32qsmE local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     auth attempt, unsupported key type fingerprint:ssh-rsa SHA256:/cDQr5adIiO2JPig9gmU0gxFUKjSF7hRL5mcr32qsmE local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:153
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt fingerprint:ssh-rsa SHA256:75IigK3OJS5DLmzpvPDcfGPRUXDr1uNNEVPj9PXa6T4 local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt with key ssh-rsa SHA256:75IigK3OJS5DLmzpvPDcfGPRUXDr1uNNEVPj9PXa6T4, (*ssh.Certificate)(nil) fingerprint:ssh-rsa SHA256:75IigK3OJS5DLmzpvPDcfGPRUXDr1uNNEVPj9PXa6T4 local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     auth attempt, unsupported key type fingerprint:ssh-rsa SHA256:75IigK3OJS5DLmzpvPDcfGPRUXDr1uNNEVPj9PXa6T4 local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:153
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:hEhXyDbJxGvWMzUIvp1NbPVHcm72zjQerm6y49fCW8o local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     conn(1.2.3.4:37242->10.4.0.218:3023, user=root) auth attempt with key ssh-rsa-cert-v01@openssh.com SHA256:hEhXyDbJxGvWMzUIvp1NbPVHcm72zjQerm6y49fCW8o, &ssh.Certificate{Nonce:[]uint8{0x24, 0x8, 0x8e, 0xed, 0x82, 0x76, 0xd5, 0x77, 0x1c, 0x90, 0x18, 0x3, 0x1, 0x5d, 0x89, 0xde, 0xe5, 0x2e, 0xc9, 0x2, 0xb5, 0x8, 0x51, 0x11, 0x5f, 0x31, 0xb7, 0x9e, 0xb4, 0x12, 0xe6, 0xc}, Key:(*ssh.rsaPublicKey)(0xc001cf2820), Serial:0x0, CertType:0x1, KeyId:"example@gravitational.com", ValidPrincipals:[]string{"root"}, ValidAfter:0x5e7a4369, ValidBefore:0x5e7aec65, Permissions:ssh.Permissions{CriticalOptions:map[string]string{}, Extensions:map[string]string{"permit-agent-forwarding":"", "permit-port-forwarding":"", "permit-pty":"", "teleport-roles":"{\"version\":\"v1\",\"roles\":[\"clusteradmin\"]}", "teleport-traits":"{\"aud\":[\"V0vOv0093JCBlGctSWA7vELnV0ufTazN\"],\"awsRole\":[\"arn:aws:iam::126027368216:role/auth0-admin,arn:aws:iam::126027368216:saml-provider/auth0\"],\"awsRoleSession\":[\"example\"],\"clientID\":[\"V0vOv0093JCBlGctSWA7vELnV0ufTazN\"],\"created_at\":[\"2019-02-14T16:21:19.875Z\"],\"email\":[\"example@gravitational.com\"],\"family_name\":[\"Luxton\"],\"given_name\":[\"example\"],\"iss\":[\"https://gravitational.auth0.com/\"],\"locale\":[\"en\"],\"login\":[\"example.luxton\"],\"name\":[\"example Luxton\"],\"nickname\":[\"example\"],\"picture\":[\"https://lh3.googleusercontent.com/a-/AOh14GibLqZlux5baIrCtDkPysX_uf00uwFuvQCHWbiY\"],\"roles\":[\"gravitational/admins\",\"gravitational/devc\",\"gravitational/wikireaders\"],\"sub\":[\"google-oauth2|102645889361203966163\"],\"unixaccountname\":[\"ec2-user\"],\"updated_at\":[\"2020-03-24T17:30:13.081Z\"],\"user_id\":[\"google-oauth2|102645889361203966163\"]}"}}, Reserved:[]uint8{}, SignatureKey:(*ssh.rsaPublicKey)(0xc001cf2860), Signature:(*ssh.Signature)(0xc0019e3080)} fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:hEhXyDbJxGvWMzUIvp1NbPVHcm72zjQerm6y49fCW8o local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [PROXY]     Successfully authenticated fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:hEhXyDbJxGvWMzUIvp1NbPVHcm72zjQerm6y49fCW8o local:10.4.0.218:3023 remote:1.2.3.4:37242 user:root srv/authhandlers.go:192
DEBU [SSH:PROXY] Incoming connection 1.2.3.4:37242 -> 10.4.0.218:3023 vesion: SSH-2.0-OpenSSH_8.1. sshutils/server.go:425
DEBU [KEEPALIVE] Starting keep-alive loop with with interval 5m0s and max count 3. srv/keepalive.go:67
DEBU [PROXY]     Handling request env, want reply false. id:12 local:10.4.0.218:3023 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
DEBU [PROXY]     Handling request env, want reply false. id:12 local:10.4.0.218:3023 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
DEBU [PROXY]     Handling request env, want reply false. id:12 local:10.4.0.218:3023 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
DEBU [PROXY]     Handling request env, want reply false. id:12 local:10.4.0.218:3023 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
DEBU [PROXY]     Handling request env, want reply false. id:12 local:10.4.0.218:3023 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
DEBU [PROXY]     Handling request env, want reply false. id:12 local:10.4.0.218:3023 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
DEBU [PROXY]     Handling request env, want reply false. id:12 local:10.4.0.218:3023 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
DEBU [PROXY]     Handling request subsystem, want reply true. id:12 local:10.4.0.218:3023 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
DEBU [NODE]      parse_proxy_subsys("proxy:example-auth-0:3022@example.gravitational.co") regular/proxy.go:71
DEBU [NODE]      newProxySubsys({default example-auth-0 3022 example.gravitational.co 0xc00055c240 0xc00058b680}). regular/proxy.go:171
DEBU [PROXY]     Subsystem request: proxySubsys(cluster=default/example.gravitational.co, host=example-auth-0, port=3022). id:12 local:10.4.0.218:3023 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1226
DEBU [SUBSYSTEM] Starting subsystem trace.fields:map[dst:10.4.0.218:3023 src:1.2.3.4:37242] regular/proxy.go:202
DEBU [SUBSYSTEM] proxy connecting to host=example-auth-0 port=3022, exact port=true trace.fields:map[dst:10.4.0.218:3023 src:1.2.3.4:37242] regular/proxy.go:319
DEBU [PROXY:SER] Dialing from 1.2.3.4:37242 to 127.0.0.1:3022. trace.fields:map[cluster:example.gravitational.co] reversetunnel/localsite.go:193
DEBU [HTTP:PROX] No valid environment variables found. proxy/proxy.go:217
DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:137
DEBU [NODE]      conn(1.2.3.4:37242->127.0.0.1:3022, user=root) auth attempt fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:GCISNRarhOyqoAdsTmEniX09ocLfncvobNzGPwTUH54 local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [NODE]      conn(1.2.3.4:37242->127.0.0.1:3022, user=root) auth attempt with key ssh-rsa-cert-v01@openssh.com SHA256:GCISNRarhOyqoAdsTmEniX09ocLfncvobNzGPwTUH54, &ssh.Certificate{Nonce:[]uint8{0x7e, 0x1c, 0x54, 0x84, 0x5, 0x40, 0x84, 0x13, 0x98, 0xfb, 0x9d, 0x79, 0x5c, 0xd1, 0x23, 0xb6, 0x19, 0x49, 0xc1, 0xad, 0x1a, 0x29, 0x4b, 0xf0, 0x3e, 0x3f, 0xb8, 0x2a, 0xd9, 0xc8, 0xa4, 0x11}, Key:(*ssh.rsaPublicKey)(0xc00098ff40), Serial:0x0, CertType:0x1, KeyId:"webvictim", ValidPrincipals:[]string{"example"}, ValidAfter:0x5e7a4404, ValidBefore:0x5e7aed00, Permissions:ssh.Permissions{CriticalOptions:map[string]string{}, Extensions:map[string]string{"permit-agent-forwarding":"", "permit-port-forwarding":"", "permit-pty":"", "teleport-roles":"{\"version\":\"v1\",\"roles\":[\"admin\"]}", "teleport-traits":"null"}}, Reserved:[]uint8{}, SignatureKey:(*ssh.rsaPublicKey)(0xc00098ff80), Signature:(*ssh.Signature)(0xc0015763c0)} fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:GCISNRarhOyqoAdsTmEniX09ocLfncvobNzGPwTUH54 local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
WARN [NODE]      failed login attempt events.EventFields{"error":"ssh: certificate signed by unrecognized authority", "success":false, "user":"webvictim"} fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:GCISNRarhOyqoAdsTmEniX09ocLfncvobNzGPwTUH54 local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:173
DEBU [AUTH]      ClientCertPool -> cert(example.gravitational.co issued by example.gravitational.co:322271401624819570863774967942186477256) auth/middleware.go:359
DEBU [AUTH]      ClientCertPool -> cert(example.gravitational.co issued by example.gravitational.co:270196894492013489265899995595764175136) auth/middleware.go:359
DEBU [AUTH:1]    Server certificate cert(e2f9956f-232b-4135-8f4b-b8766ee5e04b.example.gravitational.co issued by example.gravitational.co:322271401624819570863774967942186477256). auth/middleware.go:164
DEBU [NODE]      conn(1.2.3.4:37242->127.0.0.1:3022, user=root) auth attempt fingerprint:ssh-rsa SHA256:7dc/iVLmiIn0auW6OAz2o+JDP/lbozrFvnFghjAA7us local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [NODE]      conn(1.2.3.4:37242->127.0.0.1:3022, user=root) auth attempt with key ssh-rsa SHA256:7dc/iVLmiIn0auW6OAz2o+JDP/lbozrFvnFghjAA7us, (*ssh.Certificate)(nil) fingerprint:ssh-rsa SHA256:7dc/iVLmiIn0auW6OAz2o+JDP/lbozrFvnFghjAA7us local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [NODE]      auth attempt, unsupported key type fingerprint:ssh-rsa SHA256:7dc/iVLmiIn0auW6OAz2o+JDP/lbozrFvnFghjAA7us local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:153
DEBU [NODE]      conn(1.2.3.4:37242->127.0.0.1:3022, user=root) auth attempt fingerprint:ssh-rsa SHA256:nFov11HBuu3xSIjwVJfQwVqGkQTeUTyTZm994HYO7Ls local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [NODE]      conn(1.2.3.4:37242->127.0.0.1:3022, user=root) auth attempt with key ssh-rsa SHA256:nFov11HBuu3xSIjwVJfQwVqGkQTeUTyTZm994HYO7Ls, (*ssh.Certificate)(nil) fingerprint:ssh-rsa SHA256:nFov11HBuu3xSIjwVJfQwVqGkQTeUTyTZm994HYO7Ls local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [NODE]      auth attempt, unsupported key type fingerprint:ssh-rsa SHA256:nFov11HBuu3xSIjwVJfQwVqGkQTeUTyTZm994HYO7Ls local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:153
DEBU [NODE]      conn(1.2.3.4:37242->127.0.0.1:3022, user=root) auth attempt fingerprint:ssh-rsa SHA256:/cDQr5adIiO2JPig9gmU0gxFUKjSF7hRL5mcr32qsmE local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [NODE]      conn(1.2.3.4:37242->127.0.0.1:3022, user=root) auth attempt with key ssh-rsa SHA256:/cDQr5adIiO2JPig9gmU0gxFUKjSF7hRL5mcr32qsmE, (*ssh.Certificate)(nil) fingerprint:ssh-rsa SHA256:/cDQr5adIiO2JPig9gmU0gxFUKjSF7hRL5mcr32qsmE local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [NODE]      auth attempt, unsupported key type fingerprint:ssh-rsa SHA256:/cDQr5adIiO2JPig9gmU0gxFUKjSF7hRL5mcr32qsmE local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:153
DEBU [NODE]      conn(1.2.3.4:37242->127.0.0.1:3022, user=root) auth attempt fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:hEhXyDbJxGvWMzUIvp1NbPVHcm72zjQerm6y49fCW8o local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [NODE]      conn(1.2.3.4:37242->127.0.0.1:3022, user=root) auth attempt with key ssh-rsa-cert-v01@openssh.com SHA256:hEhXyDbJxGvWMzUIvp1NbPVHcm72zjQerm6y49fCW8o, &ssh.Certificate{Nonce:[]uint8{0x24, 0x8, 0x8e, 0xed, 0x82, 0x76, 0xd5, 0x77, 0x1c, 0x90, 0x18, 0x3, 0x1, 0x5d, 0x89, 0xde, 0xe5, 0x2e, 0xc9, 0x2, 0xb5, 0x8, 0x51, 0x11, 0x5f, 0x31, 0xb7, 0x9e, 0xb4, 0x12, 0xe6, 0xc}, Key:(*ssh.rsaPublicKey)(0xc001d6a600), Serial:0x0, CertType:0x1, KeyId:"example@gravitational.com", ValidPrincipals:[]string{"root"}, ValidAfter:0x5e7a4369, ValidBefore:0x5e7aec65, Permissions:ssh.Permissions{CriticalOptions:map[string]string{}, Extensions:map[string]string{"permit-agent-forwarding":"", "permit-port-forwarding":"", "permit-pty":"", "teleport-roles":"{\"version\":\"v1\",\"roles\":[\"clusteradmin\"]}", "teleport-traits":"{\"aud\":[\"V0vOv0093JCBlGctSWA7vELnV0ufTazN\"],\"awsRole\":[\"arn:aws:iam::126027368216:role/auth0-admin,arn:aws:iam::126027368216:saml-provider/auth0\"],\"awsRoleSession\":[\"example\"],\"clientID\":[\"V0vOv0093JCBlGctSWA7vELnV0ufTazN\"],\"created_at\":[\"2019-02-14T16:21:19.875Z\"],\"email\":[\"example@gravitational.com\"],\"family_name\":[\"Luxton\"],\"given_name\":[\"example\"],\"iss\":[\"https://gravitational.auth0.com/\"],\"locale\":[\"en\"],\"login\":[\"example.luxton\"],\"name\":[\"example Luxton\"],\"nickname\":[\"example\"],\"picture\":[\"https://lh3.googleusercontent.com/a-/AOh14GibLqZlux5baIrCtDkPysX_uf00uwFuvQCHWbiY\"],\"roles\":[\"gravitational/admins\",\"gravitational/devc\",\"gravitational/wikireaders\"],\"sub\":[\"google-oauth2|102645889361203966163\"],\"unixaccountname\":[\"ec2-user\"],\"updated_at\":[\"2020-03-24T17:30:13.081Z\"],\"user_id\":[\"google-oauth2|102645889361203966163\"]}"}}, Reserved:[]uint8{}, SignatureKey:(*ssh.rsaPublicKey)(0xc001d6a640), Signature:(*ssh.Signature)(0xc0015772c0)} fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:hEhXyDbJxGvWMzUIvp1NbPVHcm72zjQerm6y49fCW8o local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:149
DEBU [NODE]      Successfully authenticated fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:hEhXyDbJxGvWMzUIvp1NbPVHcm72zjQerm6y49fCW8o local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:192
DEBU [NODE]      Checking permissions for (example@gravitational.com,root) to login to node with RBAC checks. fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:hEhXyDbJxGvWMzUIvp1NbPVHcm72zjQerm6y49fCW8o local:127.0.0.1:3022 remote:1.2.3.4:37242 user:root srv/authhandlers.go:319
DEBU [SSH:NODE]  Incoming connection 1.2.3.4:37242 -> 127.0.0.1:3022 vesion: SSH-2.0-Ruby/Net::SSH_5.1.0 x86_64-linux. sshutils/server.go:425
DEBU [KEEPALIVE] Starting keep-alive loop with with interval 5m0s and max count 3. srv/keepalive.go:67
DEBU [NODE]      Handling request auth-agent-req@openssh.com, want reply true. id:13 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
DEBU [NODE]      Opened agent channel for Teleport user example@gravitational.com and socket /tmp/teleport-007586859/teleport-8.socket. id:13 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:774
DEBU [NODE]      Handling request exec, want reply true. id:13 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
INFO [NODE]      Creating (exec) session 1af74124-be9c-4f03-a329-975485c55db1. id:13 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com srv/sess.go:222
INFO [NODE]      Started local command execution: "printenv | grep SSH" id:13 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com srv/exec.go:186
INFO [SESSION:N] Closing session 1af74124-be9c-4f03-a329-975485c55db1 srv/sess.go:572
DEBU [NODE]      Local command successfully executed. id:13 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com srv/exec.go:200
DEBU [NODE]      Exec request ("printenv | grep SSH") complete: 0 id:13 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1080
DEBU             AgentServer(/tmp/teleport-007586859/teleport-8.socket) is closing teleagent/agent.go:104
DEBU [KEEPALIVE] Starting keep-alive loop with with interval 5m0s and max count 3. srv/keepalive.go:67
DEBU [NODE]      Handling request exec, want reply true. id:14 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1100
INFO [NODE]      Creating (exec) session 05e88ae7-4366-40a2-bbce-443207ab01b0. id:14 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com srv/sess.go:222
INFO [NODE]      Started local command execution: "printenv | grep SSH" id:14 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com srv/exec.go:186
INFO [SESSION:N] Closing session 05e88ae7-4366-40a2-bbce-443207ab01b0 srv/sess.go:572
DEBU [NODE]      Local command successfully executed. id:14 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com srv/exec.go:200
DEBU [NODE]      Exec request ("printenv | grep SSH") complete: 0 id:14 local:127.0.0.1:3022 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1080
DEBU [NODE]      Subsystem proxySubsys(cluster=default/example.gravitational.co, host=example-auth-0, port=3022) finished with result: read tcp 127.0.0.1:42506->127.0.0.1:3022: use of closed network connection. regular/sshserver.go:1234
DEBU [PROXY]     Close session request: read tcp 127.0.0.1:42506->127.0.0.1:3022: use of closed network connection. id:12 local:10.4.0.218:3023 login:root remote:1.2.3.4:37242 teleportUser:example@gravitational.com regular/sshserver.go:1061
DEBU [SSH:NODE]  Closed connection 1.2.3.4:37242. sshutils/server.go:427
DEBU [SSH:PROXY] Closed connection 1.2.3.4:37242. sshutils/server.go:427
DEBU [AUDIT]     Session upload completed. duration:4.423581ms session-id:05e88ae7-4366-40a2-bbce-443207ab01b0 events/uploader.go:257
DEBU [AUDIT]     Removed /var/lib/teleport/log/upload/sessions/default/05e88ae7-4366-40a2-bbce-443207ab01b0.completed. events/uploader.go:204
DEBU [AUDIT]     Removed /var/lib/teleport/log/upload/sessions/default/05e88ae7-4366-40a2-bbce-443207ab01b0.index. events/uploader.go:204
DEBU [AUDIT]     Removed /var/lib/teleport/log/upload/sessions/default/05e88ae7-4366-40a2-bbce-443207ab01b0-0.events.gz. events/uploader.go:204
DEBU [AUDIT]     Session upload completed. duration:16.683868ms session-id:1af74124-be9c-4f03-a329-975485c55db1 events/uploader.go:257
DEBU [AUDIT]     Removed /var/lib/teleport/log/upload/sessions/default/1af74124-be9c-4f03-a329-975485c55db1-0.events.gz. events/uploader.go:204
DEBU [AUDIT]     Removed /var/lib/teleport/log/upload/sessions/default/1af74124-be9c-4f03-a329-975485c55db1.completed. events/uploader.go:204
DEBU [AUDIT]     Removed /var/lib/teleport/log/upload/sessions/default/1af74124-be9c-4f03-a329-975485c55db1.index. events/uploader.go:204

Environment

  • Teleport version (use teleport version): Teleport Enterprise v4.2.6git:v4.2.6-0-gce1cbbf8 go1.13.2

  • Tsh version (use tsh version): Teleport v4.2.6 git:v4.2.6-0-gce1cbbf8 go1.13.2

  • OS (e.g. from /etc/os-release): Fedora 31

  • Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware): GKE
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@fspmarshall fspmarshall

Labels
bug
Projects
None yet
Milestone
4.3 "Oceanside"
Development

Successfully merging a pull request may close this issue.

Fix agent forwarding for multi-session connections gravitational/teleport
4 participants
@webvictim @russjones @aelkugia @fspmarshall