Error: failed to authenticate with proxy <address>:3023: ssh: handshake failed: EOF

Hello there :slight_smile:

Failing to make a simple test installation on a K8s cluster…
Following the docs and using the official helm chart version 0.0.5
Using the following values :

teleport:
  license:
    enabled: false
  image:
    tag: 4.3.0
  proxy:
    tls:
      enabled: false
      usetlssecret: false
  config:
    public_address: [my resolvable address]
    teleport:
      log:
        severity: DEBUG
  service:
    type: LoadBalancer
    externalTrafficPolicy: Local
    annotations:
      [some needed stuff]

Inside the single pod I run all kind of variations of tctl users add, and on all cases I am able to activate the account, login to the web console, open a web ssh terminal and record the session, use scp, but I am unable to login via the CLI
Trying to run all kind of variations of tsh --proxy=[my resolvable address] login but always getting the following error :

INFO [CLIENT]    No teleport login given. defaulting to elad client/api.go:801
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/run/user/1001/keyring/ssh" client/api.go:2201
DEBU [KEYSTORE]  Returning SSH certificate "/home/elad/.tsh/keys/[my resolvable address]/elad-cert.pub" valid until "2020-07-17 04:49:33 +0300 IDT", TLS certificate "/home/elad/.tsh/keys/[my resolvable address]/elad-x509.pem" valid until "2020-07-17 01:49:33 +0000 UTC". client/keystore.go:277
INFO [KEYAGENT]  Loading key for "elad" client/keyagent.go:113
DEBU [CLIENT]    not using loopback pool for remote proxy addr: [my resolvable address]:3080 client/api.go:2162
DEBU [CLIENT]    HTTPS client init(proxyAddr=[my resolvable address]:3080, insecure=false) client/weblogin.go:295
Enter password for Teleport user elad:
Enter your OTP token:
222697
DEBU [CLIENT]    not using loopback pool for remote proxy addr: [my resolvable address]:3080 client/api.go:2162
DEBU [CLIENT]    HTTPS client init(proxyAddr=[my resolvable address]:3080, insecure=false) client/weblogin.go:295
DEBU [KEYAGENT]  Adding CA key for [my resolvable address] client/keyagent.go:243
DEBU [KEYSTORE]  Adding known host [my resolvable address] with key: SHA256:rpM3j/XZQ9EkiYi+uZ4880OWDABNa2E6ra9wBbWMIw0 client/keystore.go:381
INFO [CLIENT]    Connecting proxy=[my resolvable address]:3023 login='root' method=0 client/api.go:1633
WARN [CLIENT]    Failed to authenticate with proxy: ssh: handshake failed: EOF client/api.go:1636

ERROR REPORT:
Original Error: *trace.BadParameterError failed to authenticate with proxy [my resolvable address]:3023: ssh: handshake failed: EOF
Stack Trace:
	/gopath/src/github.com/gravitational/teleport/lib/client/api.go:1629 github.com/gravitational/teleport/lib/client.(*TeleportClient).connectToProxy
	/gopath/src/github.com/gravitational/teleport/lib/client/api.go:1583 github.com/gravitational/teleport/lib/client.(*TeleportClient).ConnectToProxy.func1
	/opt/go/src/runtime/asm_amd64.s:1358 runtime.goexit
User Message: failed to authenticate with proxy [my resolvable address]:3023: ssh: handshake failed: EOF

The logs I am getting on the pod :

DEBU [AUTH]      ClientCertPool -> cert([my resolvable address] issued by [my resolvable address]:127514545263394102904365869269844488482) auth/middleware.go:389
DEBU [AUTH]      ClientCertPool -> cert([my resolvable address] issued by [my resolvable address]:76773658174254385236778304306928024469) auth/middleware.go:389
DEBU [AUTH:1]    Server certificate cert(f53c6d7a-5229-48e7-aca1-ee04b3995132.[my resolvable address] issued by [my resolvable address]:127514545263394102904365869269844488482). auth/middleware.go:194
DEBU [KEYGEN]    generated user key for [elad] with expiry on (1594957757) 2020-07-17 03:49:17.420056917 +0000 UTC native/native.go:257
INFO [CA]        Generating TLS certificate {0x3faab88 0xc000ecce20 1.3.9999.1.1=#1304656c6164,CN=elad,O=admin,POSTALCODE={\"kubernetes_groups\":null\,\"kubernetes_users\":[\"elad\"]\,\"logins\":[\"elad\"]},STREET=,L=elad 2020-07-17 03:49:17.427966977 +0000 UTC []}. common_name:elad dns_names:[] locality:[elad] not_after:2020-07-17 03:49:17.427966977 +0000 UTC org:[admin] org_unit:[] tlsca/ca.go:266

On the web console I see Local user [elad] successfully logged in

No idea what I am missing here…

Any ideas ?

Thanks !!

Problem was found.
Need to terminate with SSL only the web port (3080)

1 Like

Yep, this was going to be my suggestion. Need to make sure that other ports are just forwarded TCP connections.

Glad you got it sorted!