Add support for ProxyJump. #2873
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
retest this please |
webvictim
reviewed
Jul 24, 2019
| ctx: ctx, | ||
| }) | ||
| if err != nil { | ||
| log.Errorf("Unable instantiate proxy subsystem: %v.", err) |
lib/srv/regular/sshserver.go
Outdated
| } | ||
|
|
||
| if err := subsys.Start(sconn, ch, &ssh.Request{}, ctx); err != nil { | ||
| log.Errorf("Unable start proxy subsystem: %v.", err) |
lib/srv/regular/sshserver.go
Outdated
| Interval: clusterConfig.GetKeepAliveInterval(), | ||
| MaxCount: clusterConfig.GetKeepAliveCountMax(), | ||
| CloseContext: ctx.CancelContext(), | ||
| // TODO(klizhentas): is this the best way to signal |
| out: []JumpHost{{Username: "alice", Addr: NetAddr{Addr: "127.0.0.1:7777", AddrNetwork: "tcp"}}}, | ||
| }, | ||
| { | ||
| in: "alice@127.0.0.1:7777, bob@localhost", |
There was a problem hiding this comment.
Are we explicitly supporting spaces in jump host lists? All the examples we give have no spaces.
klizhentas
force-pushed
the
sasha/j
branch
2 times, most recently
from
e799706 to
a841bbd
Compare
fspmarshall
approved these changes
Jul 25, 2019
russjones
approved these changes
Jul 25, 2019
This commit implements #2543 In SSH terms ProxyJump is a shortcut for SSH client connecting the proxy/jumphost and requesting .port forwarding to the target node. This commit adds support for direct-tcpip request support in teleport proxy service that is an alias to the existing proxy subsystem and reuses most of the code. This commit also adds support to "route to cluster" metadata encoded in SSH certificate making it possible to have client SSH certificates to include the metadata that will cause the proxy to route the client requests to a specific cluster. `tsh ssh -J proxy:port ` is supported in a limited way: Only one jump host is supported (-J supports chaining that teleport does not utilise) and tsh will return with error in case of two jumphosts: -J a,b will not work. In case if `tsh ssh -J user@proxy` is used, it overrides the SSH proxy coming from the tsh profile and port-forwarding is used instead of the existing teleport proxy subsystem
|
retest this please |
2 similar comments
|
retest this please |
|
retest this please |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit implements #2543
In SSH terms ProxyJump is a shortcut for SSH client
connecting the proxy/jumphost and requesting .port forwarding to the
target node.
This commit adds support for direct-tcpip request support
in teleport proxy service that is an alias to the existing proxy
subsystem and reuses most of the code.
This commit also adds support to "route to cluster" metadata
encoded in SSH certificate making it possible to have client
SSH certificates to include the metadata that will cause the proxy
to route the client requests to a specific cluster.
tsh ssh -J proxy:portis supported in a limited way:Only one jump host is supported (-J supports chaining
that teleport does not utilise) and tsh will return with error
in case of two jumphosts: -J a,b will not work.
In case if
tsh ssh -J user@proxyis used, it overridesthe SSH proxy coming from the tsh profile and port-forwarding
is used instead of the existing teleport proxy subsystem