(v8) Merge 'config-proxy' and 'proxy ssh' commands logic

lib/srv/alpnproxy/local_proxy.go

@@ -30,13 +30,11 @@ import (
 	"github.com/gravitational/trace"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/agent"
 
-	"github.com/gravitational/teleport"
+	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/srv/alpnproxy/common"
 	appaws "github.com/gravitational/teleport/lib/srv/app/aws"
 	"github.com/gravitational/teleport/lib/utils"
-	"github.com/gravitational/teleport/lib/utils/agentconn"
 )
 
 // LocalProxy allows upgrading incoming connection to TLS where custom TLS values are set SNI ALPN and
@@ -108,7 +106,7 @@ func NewLocalProxy(cfg LocalProxyConfig) (*LocalProxy, error) {
 
 // SSHProxy is equivalent of `ssh -o 'ForwardAgent yes' -p port  %r@host -s proxy:%h:%p` but established SSH
 // connection to RemoteProxyAddr is wrapped with TLS protocol.
-func (l *LocalProxy) SSHProxy() error {
+func (l *LocalProxy) SSHProxy(localAgent *client.LocalKeyAgent) error {
 	if l.cfg.ClientTLSConfig == nil {
 		return trace.BadParameter("client TLS config is missing")
 	}
@@ -124,14 +122,10 @@ func (l *LocalProxy) SSHProxy() error {
 	}
 	defer upstreamConn.Close()
 
-	sshAgent, err := getAgent()
-	if err != nil {
-		return trace.Wrap(err)
-	}
 	client, err := makeSSHClient(upstreamConn, l.cfg.RemoteProxyAddr, &ssh.ClientConfig{
 		User: l.cfg.SSHUser,
 		Auth: []ssh.AuthMethod{
-			ssh.PublicKeysCallback(sshAgent.Signers),
+			ssh.PublicKeysCallback(localAgent.Signers),
 		},
 		HostKeyCallback: l.cfg.SSHHostKeyCallback,
 	})
@@ -146,15 +140,6 @@ func (l *LocalProxy) SSHProxy() error {
 	}
 	defer sess.Close()
 
-	err = agent.ForwardToAgent(client, sshAgent)
-	if err != nil {
-		return trace.Wrap(err)
-	}
-	err = agent.RequestAgentForwarding(sess)
-	if err != nil {
-		return trace.Wrap(err)
-	}
-
 	if err = sess.RequestSubsystem(proxySubsystemName(l.cfg.SSHUserHost, l.cfg.SSHTrustedCluster)); err != nil {
 		return trace.Wrap(err)
 	}
@@ -300,19 +285,6 @@ func (l *LocalProxy) handleDownstreamConnection(ctx context.Context, downstreamC
 	return trace.NewAggregate(errs...)
 }
 
-func getAgent() (agent.ExtendedAgent, error) {
-	agentSocket := os.Getenv(teleport.SSHAuthSock)
-	if agentSocket == "" {
-		return nil, trace.NotFound("failed to connect to SSH agent, %s env var not set", teleport.SSHAuthSock)
-	}
-
-	conn, err := agentconn.Dial(agentSocket)
-	if err != nil {
-		return nil, trace.Wrap(err)
-	}
-	return agent.NewClient(conn), nil
-}
-
 func (l *LocalProxy) Close() error {
 	l.cancel()
 	if l.cfg.Listener != nil {

tool/tsh/config.go

@@ -25,10 +25,11 @@ import (
 	"strings"
 	"text/template"
 
+	"github.com/gravitational/trace"
+
 	"github.com/gravitational/teleport/api/constants"
 	"github.com/gravitational/teleport/api/profile"
 	"github.com/gravitational/teleport/api/utils/keypaths"
-	"github.com/gravitational/trace"
 )
 
 const sshConfigTemplate = `
@@ -41,7 +42,7 @@ Host *.{{ .ClusterName }} {{ .ProxyHost }}
 # Flags for all {{ .ClusterName }} hosts except the proxy
 Host *.{{ .ClusterName }} !{{ .ProxyHost }}
     Port 3022
-    ProxyCommand "{{ .TSHPath }}" config-proxy --login="%r" --proxy={{ .ProxyHost }}:{{ .ProxyPort }} %h:%p "{{ .ClusterName }}"
+    ProxyCommand "{{ .TSHPath }}" proxy ssh --cluster={{ .ClusterName }} --proxy={{ .ProxyHost }} %r@%h:%p
 `
 
 type hostConfigParameters struct {
@@ -50,7 +51,6 @@ type hostConfigParameters struct {
 	IdentityFilePath    string
 	CertificateFilePath string
 	ProxyHost           string
-	ProxyPort           string
 	TSHPath             string
 }
 
@@ -88,7 +88,7 @@ func onConfig(cf *CLIConf) error {
 
 	// Note: TeleportClient.connectToProxy() overrides the proxy address when
 	// JumpHosts are in use, which this does not currently implement.
-	proxyHost, proxyPort, err := net.SplitHostPort(tc.Config.SSHProxyAddr)
+	proxyHost, _, err := net.SplitHostPort(tc.Config.SSHProxyAddr)
 	if err != nil {
 		return trace.Wrap(err)
 	}
@@ -127,7 +127,6 @@ func onConfig(cf *CLIConf) error {
 		IdentityFilePath:    identityFilePath,
 		CertificateFilePath: keypaths.SSHCertPath(keysDir, proxyHost, tc.Config.Username, rootClusterName),
 		ProxyHost:           proxyHost,
-		ProxyPort:           proxyPort,
 		TSHPath:             cf.executablePath,
 	})
 	if err != nil {
@@ -141,7 +140,6 @@ func onConfig(cf *CLIConf) error {
 			IdentityFilePath:    identityFilePath,
 			CertificateFilePath: keypaths.SSHCertPath(keysDir, proxyHost, tc.Config.Username, rootClusterName),
 			ProxyHost:           proxyHost,
-			ProxyPort:           proxyPort,
 			TSHPath:             cf.executablePath,
 		})
 		if err != nil {

tool/tsh/config_test.go

@@ -0,0 +1,52 @@
+/*
+Copyright 2021 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestWriteSSHConfig tests the writeSSHConfig template output.
+func TestWriteSSHConfig(t *testing.T) {
+	want := `
+# Common flags for all test-cluster hosts
+Host *.test-cluster localhost
+    UserKnownHostsFile "/tmp/know_host"
+    IdentityFile "/tmp/alice"
+    CertificateFile "/tmp/localhost-cert.pub"
+
+# Flags for all test-cluster hosts except the proxy
+Host *.test-cluster !localhost
+    Port 3022
+    ProxyCommand "/bin/tsh" proxy ssh --cluster=test-cluster --proxy=localhost %r@%h:%p
+`
+
+	var sb strings.Builder
+	err := writeSSHConfig(&sb, hostConfigParameters{
+		ClusterName:         "test-cluster",
+		KnownHostsPath:      "/tmp/know_host",
+		IdentityFilePath:    "/tmp/alice",
+		CertificateFilePath: "/tmp/localhost-cert.pub",
+		ProxyHost:           "localhost",
+		TSHPath:             "/bin/tsh",
+	})
+	require.NoError(t, err)
+	require.Equal(t, want, sb.String())
+}

tool/tsh/db_test.go

@@ -49,7 +49,7 @@ func TestDatabaseLogin(t *testing.T) {
 	require.NoError(t, err)
 	alice.SetRoles([]string{"access"})
 
-	authProcess, proxyProcess := makeTestServers(t, connector, alice)
+	authProcess, proxyProcess := makeTestServers(t, withBootstrap(connector, alice))
 	makeTestDatabaseServer(t, authProcess, proxyProcess, service.Database{
 		Name:     "postgres",
 		Protocol: defaults.ProtocolPostgres,

tool/tsh/proxy.go

@@ -21,6 +21,9 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"os/exec"
+	"strconv"
+	"strings"
 	"text/template"
 
 	"github.com/gravitational/trace"
@@ -32,12 +35,43 @@ import (
 	"github.com/gravitational/teleport/lib/utils"
 )
 
+// onProxyCommandSSH creates a local ssh proxy.
+// In cases of TLS Routing the connection is established to the WebProxy with teleport-proxy-ssh ALPN protocol.
+// and all ssh traffic is forwarded through the local ssh proxy.
+//
+// If proxy doesn't support TLS Routing the onProxyCommandSSH is used as ProxyCommand to remove proxy/site prefixes
+// from destination node address to support multiple platform where 'cut -d' command is not provided.
+// For more details please look at: Generate Windows-compatible OpenSSH config https://github.com/gravitational/teleport/pull/7848
 func onProxyCommandSSH(cf *CLIConf) error {
 	tc, err := makeClient(cf, false)
 	if err != nil {
 		return trace.Wrap(err)
 	}
 
+	targetHost, targetPort, err := net.SplitHostPort(tc.Host)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	targetHost = cleanTargetHost(targetHost, tc.WebProxyHost(), tc.SiteName)
+
+	if tc.TLSRoutingEnabled {
+		return trace.Wrap(sshProxyWithTLSRouting(cf, tc, targetHost, targetPort))
+	}
+
+	return trace.Wrap(sshProxy(cf, tc, targetHost, targetPort))
+}
+
+// cleanTargetHost cleans the targetHost and remote site and proxy suffixes.
+// Before the `cut -d` command was used for this purpose but to support multi-platform OpenSSH clients the logic
+// it was moved tsh proxy ssh command.
+// For more details please look at: Generate Windows-compatible OpenSSH config https://github.com/gravitational/teleport/pull/7848
+func cleanTargetHost(targetHost, proxyHost, siteName string) string {
+	targetHost = strings.TrimSuffix(targetHost, "."+proxyHost)
+	targetHost = strings.TrimSuffix(targetHost, "."+siteName)
+	return targetHost
+}
+
+func sshProxyWithTLSRouting(cf *CLIConf, tc *libclient.TeleportClient, targetHost, targetPort string) error {
 	address, err := utils.ParseAddr(tc.WebProxyAddr)
 	if err != nil {
 		return trace.Wrap(err)
@@ -58,7 +92,7 @@ func onProxyCommandSSH(cf *CLIConf) error {
 		ParentContext:      cf.Context,
 		SNI:                address.Host(),
 		SSHUser:            tc.HostLogin,
-		SSHUserHost:        cf.UserHost,
+		SSHUserHost:        fmt.Sprintf("%s:%s", targetHost, targetPort),
 		SSHHostKeyCallback: tc.HostKeyCallback,
 		SSHTrustedCluster:  cf.SiteName,
 		ClientTLSConfig:    tlsConfig,
@@ -67,12 +101,38 @@ func onProxyCommandSSH(cf *CLIConf) error {
 		return trace.Wrap(err)
 	}
 	defer lp.Close()
-	if err := lp.SSHProxy(); err != nil {
+	if err := lp.SSHProxy(tc.LocalAgent()); err != nil {
 		return trace.Wrap(err)
 	}
 	return nil
 }
 
+func sshProxy(cf *CLIConf, tc *libclient.TeleportClient, targetHost, targetPort string) error {
+	sshPath, err := getSSHPath()
+	if err != nil {
+		return trace.Wrap(err)
+	}
+
+	sshHost, sshPort := tc.SSHProxyHostPort()
+	args := []string{
+		"-p",
+		strconv.Itoa(sshPort),
+		sshHost,
+		"-s",
+		fmt.Sprintf("proxy:%s:%s@%s", targetHost, targetPort, tc.SiteName),
+	}
+
+	if cf.NodeLogin != "" {
+		args = append([]string{"-l", cf.NodeLogin}, args...)
+	}
+
+	child := exec.Command(sshPath, args...)
+	child.Stdin = os.Stdin
+	child.Stdout = os.Stdout
+	child.Stderr = os.Stderr
+	return trace.Wrap(child.Run())
+}
+
 func onProxyCommandDB(cf *CLIConf) error {
 	client, err := makeClient(cf, false)
 	if err != nil {

tool/tsh/proxy_test.go

@@ -29,6 +29,7 @@ import (
 
 	"github.com/gravitational/teleport/api/profile"
 	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/service"
 	"github.com/gravitational/teleport/lib/teleagent"
 )
 
@@ -55,7 +56,12 @@ func TestProxySSHDial(t *testing.T) {
 	require.NoError(t, err)
 	alice.SetRoles([]string{"access", "ssh-login"})
 
-	authProcess, proxyProcess := makeTestServers(t, connector, alice, sshLoginRole)
+	authProcess, proxyProcess := makeTestServers(t,
+		withBootstrap(connector, alice, sshLoginRole),
+		withAuthConfig(func(cfg *service.AuthConfig) {
+			cfg.NetworkingConfig.SetProxyListenerMode(types.ProxyListenerMode_Multiplex)
+		}),
+	)
 
 	authServer := authProcess.GetAuthServer()
 	require.NotNil(t, authServer)

tool/tsh/tsh.go

@@ -536,6 +536,7 @@ func Run(args []string, opts ...cliOption) error {
 	// config-proxy is a wrapper to ensure Windows clients can properly use
 	// `tsh config`. As it's not intended to run by users directly and may
 	// not have a stable CLI interface, hide it.
+	// DELETE IN 9.0: The config-proxy logic was moved to the tsh proxy ssh command.
 	configProxy := app.Command("config-proxy", "ProxyCommand wrapper for SSH config as generated by `config`").Hidden()
 	configProxy.Arg("target", "Target node host:port").Required().StringVar(&cf.ConfigProxyTarget)
 	configProxy.Arg("cluster-name", "Target cluster name").Required().StringVar(&cf.SiteName)