Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix JumpHost TLSRouting flow when root cluster is offline #13791

Merged
merged 3 commits into from
Jun 28, 2022
Merged

Fix JumpHost TLSRouting flow when root cluster is offline #13791

merged 3 commits into from
Jun 28, 2022

Conversation

smallinsky
Copy link
Contributor

@smallinsky smallinsky commented Jun 23, 2022
edited
Loading

What:

Fix the #13554 issue when JumpHost to leaf cluster fails when root cluster is online.

Why

The Fix TLS Routing JumpHost flow fix didn't aligned the isMFARequired calls agains root cluster and in case of offline root cluster the JumpHost TLS Routing flow fails.

How

In case of JumpHost == leaf proxy address` call isMFARequired on leaf auth service like in TLS Routing disabled flow.

@github-actions github-actions bot added the tsh tsh - Teleport's command line tool for logging into nodes running Teleport. label Jun 23, 2022
@github-actions github-actions bot requested review from ibeckermayer and zmb3 June 23, 2022 12:04
@smallinsky smallinsky requested review from r0mant, codingllama and Joerger and removed request for zmb3 and ibeckermayer June 23, 2022 12:12
@smallinsky smallinsky added tls-routing Issues related to TLS routing regression test-plan-problem Issues which have been surfaced by running the manual release test plan labels Jun 23, 2022
@smallinsky smallinsky mentioned this pull request Jun 23, 2022
Closed
@espadolini
Copy link
Contributor

espadolini commented Jun 23, 2022
edited
Loading

Does this mean that a non-FIPS tsh connecting directly to a non-FIPS leaf will not clear the terminal, while a connection to the leaf through a FIPS root would? Is that the correct behavior? Can you even join a non-FIPS leaf to a FIPS root?

codingllama
codingllama reviewed Jun 23, 2022
View reviewed changes
Copy link
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick fixes, Marek.

What is the interaction between jump hosts and settings such as per_session_mfa? If the root has per_session_mfa=true and the leaf doesn't, would a jump allow the user to connect without MFA?

Conversely, if MFA is required by the leaf, how can the user pass the challenge if their credentials are saved in the root cluster?

In essence, is jumping with an offline root possible if MFA is involved?

@smallinsky smallinsky force-pushed the smallinsky/fix_jumphost_offline_root_cluster branch from 31cf017 to 9d6e650 Compare June 24, 2022 11:39
@smallinsky
Copy link
Contributor Author

@codingllama

What is the interaction between jump hosts and settings such as per_session_mfa? If the root has per_session_mfa=true and the leaf doesn't, would a jump allow the user to connect without MFA?

In that case the root cluster will ask the client to add MFA device in order to process MFA flow enforced by leaf cluster.

Conversely, if MFA is required by the leaf, how can the user pass the challenge if their credentials are saved in the root cluster?

In case of MFA require by the leaf a MFA cert issuer is a root cluster so root cluster needs to be online to handle MFA issue cert request triggered by the IsMFARequire check evaluate on the leaf cluster.

In essence, is jumping with an offline root possible if MFA is involved?

No, MFA flow requires root cluster aviability to issue MFA verify certs so this is not matter of JumpHost and in case of offline root cluster the tsh ssh --cluster=leaf leafnode command will also fail.

Does this mean that a non-FIPS tsh connecting directly to a non-FIPS leaf will not clear the terminal, while a connection to the leaf through a FIPS root would? Is that the correct behavior? Can you even join a non-FIPS leaf to a FIPS root?

@espadolini

Does this mean that a non-FIPS tsh connecting directly to a non-FIPS leaf will not clear the terminal, while a connection to the leaf through a FIPS root would? Is that the correct behavior? Can you even join a non-FIPS leaf to a FIPS root?

I'm not familiar with FIPS though I have never seen any checks preventing this behaviour.

codingllama
codingllama approved these changes Jun 24, 2022
View reviewed changes
Copy link
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the explanation.

lib/client/client.go Outdated Show resolved Hide resolved
@smallinsky smallinsky force-pushed the smallinsky/fix_jumphost_offline_root_cluster branch from 0756e15 to 26b9f60 Compare June 28, 2022 11:13
@smallinsky smallinsky merged commit 20b63e0 into master Jun 28, 2022
@github-actions
Copy link

@smallinsky See the table below for backport results.

Branch Result
branch/v10 Failed
branch/v8 Failed
branch/v9 Failed

smallinsky added a commit that referenced this pull request Jun 28, 2022
@smallinsky
[v10] Fix JumpHost TLSRouting flow when root cluster is offline (#13791)
3cd2e14
@smallinsky smallinsky mentioned this pull request Jun 28, 2022
Merged
smallinsky added a commit that referenced this pull request Jun 28, 2022
@smallinsky
[v9] Fix JumpHost TLSRouting flow when root cluster is offline (#13791)
c2e71d0
smallinsky added a commit that referenced this pull request Jun 28, 2022
@smallinsky
[v8] Fix JumpHost TLSRouting flow when root cluster is offline (#13791)
76c4b94
@smallinsky smallinsky mentioned this pull request Jun 28, 2022
Merged
smallinsky added a commit that referenced this pull request Jun 29, 2022
@smallinsky
[v10] Fix JumpHost TLSRouting flow when root cluster is offline (#13791
5e82520 
…) (#13926)
smallinsky added a commit that referenced this pull request Jun 29, 2022
@smallinsky
[v9] Fix JumpHost TLSRouting flow when root cluster is offline (#13791)…
cbdc92c 
… (#13928)
smallinsky added a commit that referenced this pull request Jul 4, 2022
@smallinsky
[v8] Fix JumpHost TLSRouting flow when root cluster is offline (#13791)…
8516825 
… (#13929)
@webvictim webvictim mentioned this pull request Jul 12, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Joerger Joerger Joerger approved these changes

@codingllama codingllama codingllama approved these changes

@r0mant r0mant Awaiting requested review from r0mant

Assignees
No one assigned
Labels
regression test-plan-problem Issues which have been surfaced by running the manual release test plan tls-routing Issues related to TLS routing tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@smallinsky @espadolini @codingllama @Joerger