Allow tsh to connect to legacy clusters. #2784
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
russjones
force-pushed
the
rjones/tsh-lemma
branch
from
5bf56e8 to
76a8abd
Compare
fspmarshall
reviewed
Jun 19, 2019
russjones
force-pushed
the
rjones/tsh-lemma
branch
from
76a8abd to
4906d2c
Compare
klizhentas
reviewed
Jun 21, 2019
| // fails, fallback to legacy lemma package. | ||
| func (rd *Redirector) open(ciphertext []byte) ([]byte, error) { | ||
| plaintext, err := rd.key.Open(ciphertext) | ||
| if err != nil { |
There was a problem hiding this comment.
does this do some integrity check to make sure it decodes random text, I'm pretty sure it does, but want to confirm
There was a problem hiding this comment.
Yes they do, AES-GCM and NaCl are both AEAD ciphers.
klizhentas
reviewed
Jun 21, 2019
klizhentas
reviewed
Jun 21, 2019
While moving from lemma (NaCl based) to the new internal secret package (AES-GCM based), Teleport was updated to allow older tsh clients to connect to newer proxies. Support to allow newer tsh clients to connect to older proxies was omitted. To allow newer tsh clients to connect to older proxies, Teleport attempts to decrypt the response payload using the new secret package, and if it fails, attempts to use the legacy lemma package. In addition, the secret key that tsh generates is encoded in the new as well as older format when submitting the client submits the request to Teleport.
russjones
force-pushed
the
rjones/tsh-lemma
branch
from
4906d2c to
c510329
Compare
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
While moving from lemma (NaCl based) to the new internal secret package (AES-GCM based), Teleport was updated to allow older tsh clients to connect to newer proxies. Support to allow newer tsh clients to connect to older proxies was omitted.
To allow newer tsh clients to connect to older proxies, Teleport attempts to decrypt the response payload using the new secret package, and if it fails, attempts to use the legacy lemma package.
In addition, the secret key that tsh generates is encoded in the new as well as older format when submitting the client submits the request to Teleport.