Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix TLS Routing jumphost flow #11282

Merged
merged 11 commits into from
Mar 28, 2022
Next Next commit
Fix TLS Routing jumphost flow
smallinsky committed Mar 21, 2022
commit 7adad2e898326e01408ffbc8d2a882fdcdfab751
10 changes: 7 additions & 3 deletions lib/client/api.go
Original file line number Diff line number Diff line change
@@ -2302,12 +2302,16 @@ func makeProxySSHClientWithTLSWrapper(tc *TeleportClient, sshConfig *ssh.ClientC
}

func makeProxySSHClient(tc *TeleportClient, sshConfig *ssh.ClientConfig) (*ssh.Client, error) {
if tc.Config.TLSRoutingEnabled {
if tc.Config.TLSRoutingEnabled && len(tc.JumpHosts) == 0 {
return makeProxySSHClientWithTLSWrapper(tc, sshConfig)
}
client, err := ssh.Dial("tcp", tc.Config.SSHProxyAddr, sshConfig)
addr := tc.Config.SSHProxyAddr
if len(tc.JumpHosts) > 0 {
addr = tc.JumpHosts[0].Addr.Addr
}
client, err := ssh.Dial("tcp", addr, sshConfig)
if err != nil {
return nil, trace.Wrap(err, "failed to authenticate with proxy %v", tc.Config.SSHProxyAddr)
return nil, trace.Wrap(err, "failed to authenticate with proxy %v", addr)
}
return client, nil
}
37 changes: 37 additions & 0 deletions tool/tsh/proxy_test.go
Original file line number Diff line number Diff line change
@@ -67,6 +67,7 @@ func TestTSHSSH(t *testing.T) {
}{
{"ssh root cluster access", testRootClusterSSHAccess},
{"ssh leaf cluster access", testLeafClusterSSHAccess},
{"test jump host ssh proxy port", testJumpHostProxySSHPort},
}

for _, tc := range tests {
@@ -167,6 +168,42 @@ func testLeafClusterSSHAccess(t *testing.T, s *suite) {
require.NoError(t, err)
}

func testJumpHostProxySSHPort(t *testing.T, s *suite) {
err := Run([]string{
"login",
"--insecure",
"--debug",
smallinsky marked this conversation as resolved.
Show resolved Hide resolved
"--auth", s.connector.GetName(),
"--proxy", s.root.Config.Proxy.WebAddr.String(),
s.root.Config.Auth.ClusterName.GetClusterName(),
}, func(cf *CLIConf) error {
cf.mockSSOLogin = mockSSOLogin(t, s.root.GetAuthServer(), s.user)
return nil
})
require.NoError(t, err)

err = Run([]string{
"login",
"--insecure",
s.leaf.Config.Auth.ClusterName.GetClusterName(),
}, func(cf *CLIConf) error {
cf.mockSSOLogin = mockSSOLogin(t, s.root.GetAuthServer(), s.user)
return nil
})
require.NoError(t, err)

err = Run([]string{
"ssh",
"-J", s.leaf.Config.Proxy.SSHAddr.Addr,
s.leaf.Config.Hostname,
"echo", "hello",
}, func(cf *CLIConf) error {
cf.mockSSOLogin = mockSSOLogin(t, s.root.GetAuthServer(), s.user)
return nil
})
require.NoError(t, err)
}

// TestProxySSHDial verifies "tsh proxy ssh" command.
func TestProxySSHDial(t *testing.T) {
createAgent(t)
6 changes: 4 additions & 2 deletions tool/tsh/tsh_helper_test.go
Original file line number Diff line number Diff line change
@@ -108,7 +108,7 @@ func (s *suite) setupRootCluster(t *testing.T, options testSuiteOptions) {

func (s *suite) setupLeafCluster(t *testing.T) {
fileConfig := &config.FileConfig{
Version: "v2",
Version: "v1",
Global: config.Global{
DataDir: t.TempDir(),
NodeName: "localnode",
@@ -121,9 +121,11 @@ func (s *suite) setupLeafCluster(t *testing.T) {
},
Proxy: config.Proxy{
Service: config.Service{
EnabledFlag: "true",
EnabledFlag: "true",
ListenAddress: localListenerAddr(),
},
WebAddr: localListenerAddr(),
TunAddr: localListenerAddr(),
},
Auth: config.Auth{
Service: config.Service{