An user was deleted by tctl still connect to node service

[botranvan]

Hi everyone,
I was clone repo of teleport and build to binary to run in my systems.
I was received an error as title of topic, the step to perform as follow:

1. Create an user
2. Use tsh client to login proxy with above user
3. Delete above user
4. Use tsh ssh to node service with above user was deleted, the result I was got that user still ssh to node service.
5. Whether this is an error?

Many thanks.

[webvictim]

This behaviour is working as intended. When Teleport issues a user certificate with tsh login, that certificate remains valid until it expires (8 hours by default - this time can be changed using the options.max_session_ttl RBAC parameter). The user will not be able to get a new certificate after expiry using tsh login if they have been deleted.

This is different if using the Teleport web UI, where the user will lose access to Teleport as soon as they refresh the page or try to open a new session.

We are planning to implement active session termination and certificate revocation in a future version of Teleport. For now, here's a few potential workarounds:

1. set the certificate TTL lower
2. force users to use the web UI
3. manually rotate the Teleport user CA after deleting the user using tctl auth rotate --type=user --grace-period=30s - this will make all users need to run tsh login again to get a new certificate.