Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access Denied for SSH showing unique id, not nodename #23719

Closed
stevenGravy opened this issue Mar 28, 2023 · 5 comments · Fixed by #23724 or #47420
Closed

Access Denied for SSH showing unique id, not nodename #23719

stevenGravy opened this issue Mar 28, 2023 · 5 comments · Fixed by #23724 or #47420

Comments

@stevenGravy
Copy link
Contributor

stevenGravy commented Mar 28, 2023

Expected behavior:

The access denied shows the hostname, not the uuid.

Current behavior:

The access denied is showing the node unique id.

image

Bug details:

  • Teleport version: 12.1.2
  • Recreation steps

Connect to a ssh node with the wrong username in Web UI or Teleport Connect.

@stevenGravy
Copy link
Contributor Author

This has started occurring again. If the user puts in a non-allowed user they recieve this message with the node uuid.

Image

@stevenGravy stevenGravy reopened this Oct 6, 2024
@rosstimothy rosstimothy self-assigned this Oct 8, 2024
rosstimothy added a commit that referenced this issue Oct 9, 2024
Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
@rosstimothy
Copy link
Contributor

@zmb3 is there any reason for the Web UI to allow users to input a custom login? Shouldn't all of the allowed logins be available in the dropdown list when clicking the connect button? Instead of allowing freeform text to be passed in for the login should that text input be converted to a filter for the available logins?

rosstimothy added a commit that referenced this issue Oct 9, 2024
Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
@zmb3
Copy link
Collaborator

zmb3 commented Oct 9, 2024

@zmb3 is there any reason for the Web UI to allow users to input a custom login? Shouldn't all of the allowed logins be available in the dropdown list when clicking the connect button? Instead of allowing freeform text to be passed in for the login should that text input be converted to a filter for the available logins?

You're correct. @avatus is actually working on removing the free form login entry for v17 right now.

@rosstimothy
Copy link
Contributor

You're correct. @avatus is actually working on removing the free form login entry for v17 right now.

That's awesome. I'll proceed with a small tweak to improve the error messaging in <= v16 but won't attempt to introduce a more robust solution at this time then.

@avatus
Copy link
Contributor

avatus commented Oct 10, 2024

#47422

github-merge-queue bot pushed a commit that referenced this issue Oct 15, 2024
)

Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
github-actions bot pushed a commit that referenced this issue Oct 15, 2024
Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
github-actions bot pushed a commit that referenced this issue Oct 15, 2024
Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
rosstimothy added a commit that referenced this issue Oct 15, 2024
Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
rosstimothy added a commit that referenced this issue Oct 15, 2024
)

Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
rosstimothy added a commit that referenced this issue Oct 15, 2024
)

Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
rosstimothy added a commit that referenced this issue Oct 15, 2024
)

Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
mvbrock pushed a commit that referenced this issue Oct 16, 2024
)

Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
github-merge-queue bot pushed a commit that referenced this issue Oct 17, 2024
)

Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
github-merge-queue bot pushed a commit that referenced this issue Oct 17, 2024
) (#47603)

Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
github-merge-queue bot pushed a commit that referenced this issue Oct 17, 2024
)

Host resolution no longer happens prior to connections in the Web
UI and all dial attempts are by UUID. When an invalid login is
attempted the error message constructed only contained the info
provided to the dial request: a login and a Host UUID. To make
this error more user friendly access denied errors are now
augmented with the hostname if the user has permissions to that
host and the error occurs only due to an invalid login.

Closes #23719
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment