Using the standard ssh client instead of tsh

I’m trying to use the standard ssh client with teleport so that I can create Ansible playbooks that can access my systems behind the proxy. I’ve followed the instructions
and after logging into the proxy, i’m unable to connect to any systems using ssh. When I try, i see the following: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host

and in the log on the proxy, I see this:

Sep 10 18:31:02 ip-10-1-9-236 /usr/local/bin/teleport[2746]: WARN [PROXY] failed login attempt events.EventFields{“success”:false, “error”:“ssh: principal “myusername” not in the set of valid principals for given certificate: [“targetusername”]”, “user”:“mysusername”} SHA256:rLeLrEsA5qmRWWshaUz2BMjfd6f74Ke/jeqnMy6XxjA local: remote: user:myusername srv/authhandlers.go:166

I’ve looked up this error and the only examples i’ve found talk about hostnames in the principal, not usernames.

logging in with tsh works fine

Hi - firstly, sorry for the delay in response.

  • What’s the SSH command you’re trying to use to log in?
  • Can you please share the outputs of:
    • tsh status after logging in
    • ssh-add -l?
  • If you’ve changed ~/.ssh/config, can you please share details of the changes you’ve made?

In general, this error is related to you trying to log in with a different principal (system user) to what is permitted by the certificate that Teleport has issued. As the error is coming from the Teleport proxy, it might be that you need to provide a valid username in the -J (jumphost) argument to your ssh command.


After tsh login i have tsh status shows something like this:

Profile URL: xxxx
Logged in as: mygithubusername
Roles: admin*
Logins: targetaccountname
Valid until: 2020-09-21 16:22:36 -0400 EDT [valid for 58m0s]
Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty

ssh-add -l

2048 SHA256:mJ9spDmbqF0PC8PQBBQMyxxzUNZdNXy4iAc/3gEaZqc teleport:mygithubusername (RSA-CERT)
2048 SHA256:mJ9spDmbqF0PC8PQBBQMyxxzUNZdNXy4iAc/3gEaZqc teleport:mygithubusername (RSA)

We are using github for authentication

my ssh/config file

Host ip-10-1-1-115
Port 3022

and the command line i’m using looks like this:
ssh targetaccountname @ ip-10-1-1-115

when I do that, I get this:
mylocalusername @ Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host

i’ve also adjusted the ssh/config file to add mygithubusername to the proxy but get similar results.

The error I see in the proxy logs is:

Sep 21 19:28:26 ip-10-1-9-236 /usr/local/bin/teleport[2442]: WARN [PROXY] failed login attempt events.EventFields{“user”:“mygithubusername”, “success”:false, “error”:“ssh: principal “mylocalusername” not in the set of valid principals for given certificate: [“targetaccount”]”} fingerprint:ssh-rsa-cert-v01 SHA256:QH9Ugj+KX4vRXxD75IrjOc395hpUNrBOt1R6Fl/yd20 local: remote: user:mylocalusername srv/authhandlers.go:166

I’ve also tried this by putting everything on the command line:

ssh -J targetaccountname@ip-10-1-1-115

Note: in the reply above I had to mess with bits of the format to submit it otherwise i get some error about only being allowed to have two links in my post (very annoying)