Tsh login ssh-agent no added - OpenSSH Integration


#1

Ported from github issue https://github.com/gravitational/teleport/issues/2596

Hello,

What happened:
Login using tsh login --proxy=xxx --format=openssh

What you expected to happen:

As explain on the admin documentation / user documentation i was expecting to see more keys on my ssh-agent using ssh-add -l.
Then using the configuration show on the user documentation in order to use teleport with a good OpenSSH configuration to reach my nodes using classic openssh client.
I can guess than somehow my keys are not added to my ssh-agent even if it’s still running from my OS since i boot.

Host *.bastion.example.be
    HostName %h
    Port 3022
    ProxyCommand ssh -p 3023 %r@bastion.example.be -s proxy:%h:%p

ssh node.bastion.example.be
Permission denied (publickey).
ssh_exchange_identification: Connection closed by remote host

How to reproduce it (as minimally and precisely as possible):
Setup latest Teleport with one more node then setup your openssh client to use it throught Teleport Proxy.

Environment:

  • Teleport version (use teleport version):Teleport v3.1.7 git:v3.1.7-0-g44074d74 go1.11.5
  • Tsh version (use tsh version): Teleport v3.1.7 git:v3.1.7-0-g44074d74 go1.11.5
  • OS (e.g. from /etc/os-release): Debian GNU/Linux 9 (stretch)

Relevant Debug Logs If Applicable

debug1: Executing proxy command: exec ssh -p 3023 xx@bastion.example.com -s proxy:node.bastion.example.com:3022
debug1: permanently_drop_suid: 1000
debug1: identity file /home/xx/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xx/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xx/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xx/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xx/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xx/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xx/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/xx/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u6
ssh: connect to host bastion.example.com port 3023: Connection refused
ssh_exchange_identification: Connection closed by remote host

I can see traffic come on port 3023 but nothing in my log yet on the Teleport side even with the ERROR flag for the logs.

I can add manually my keys from teleport using:
ssh-add .tsh/keys/bastion.example.com/xx
I got :

Identity added: .tsh/keys/bastion.example.com/xx (.tsh/keys/bastion.example.com/xx)
Certificate .tsh/keys/bastion.example.com/xx-cert.pub (xx) add failed: communication with agent failed

I looked a bit on search engines (quick) without finding something useful.
Please let me know if i can provide more details.

Have a good week-end.


SSH to no-nodes using ProxyJump/ProxyCommand
#2

@Zwordi which ssh agent are you using? Teleport is 100% certificate-based, and not all SSH agents understand SSH certificates.

(asking because some distros do not package ssh-agent from OpenSSH and instead use something else, like Gnome which did not support SSH certs last time we checked)


#3

Hi @kontsevoy ,

You’re right, i’m using Gnome so i use (without thinking about it) his ssh-agent.

xx       3059  0.0  0.0  14636    36 ?        Ss   Mar08   0:00 /usr/bin/ssh-agent gnome-session
xx      31225  0.0  0.0  14164  1996 pts/2    S+   07:55   0:00 grep --color ssh-agent

Ok so if i kill the ssh-agent gnome-session and eval again the ssh-agent i can add my certificates manually without issue.
And then with the example of the User Manual about SSH Integration i can get it working with the following example:

Host db
    Port 3022
    ProxyCommand ssh -p 3023 %r@proxy.example.com -s proxy:%h:%p

Now all i have to do is having ansible populate my .ssh/config based on the list of my nodes !
Thanks you for the good hint