Access Teleport SSH Proxy via HTTP CONNECT

Normally, SSH connections to the teleport proxy on port 3023 are made directly when using the tsh ssh functionality or the openssh client. To achieve this connection via an HTTP CONNECT style proxy, you can do so with the openssh client with help from the socat binary to do the HTTP CONNECT connection.

Instructions

Make sure you are able to successfully complete a tsh login. If you need the tsh binary to use the proxy when communicating over the teleport proxy web port (usually 3080 or 443), make sure you have the HTTPS_PROXY variable set where tsh is being invoked. tsh does not use this proxy variable for any teleport ssh proxy (port 3023) communication, which is why this guide exists for configuring an openssh client to use the proxy instead.

Follow the normal instructions to get your openssh client configured to work with teleport here: Using Teleport with OpenSSH. This involves setting up your .ssh/config file with the needed blocks for both your teleport nodes and the teleport proxy service(s). The teleport proxy Host will need one additional line to make it work via socat. At the time of writing, the doc gives the following configuration where root.example.com is the teleport proxy hostname:

Host root.example.com
    HostName 192.168.1.2
    Port 3023

If the http connect proxy is accessible at http://proxy.example.com:8080 then you would add the Following ProxyConnect option:

Host root.example.com
    HostName 192.168.1.2
    Port 3023
    ProxyCommand socat stdio proxy:proxy.example.com:%h:%p,proxyport=8080

The .ssh/config section for your teleport nodes will remain unchanged:

Host *.root.example.com
    HostName %h
    Port 3022
    ProxyCommand ssh -p 3023 %r@root.example.com -s proxy:%h:%p

Usage

To utilize this, make sure you have a valid teleport login by running the correct tsh login command for your environment. This writes out an ssh key below your .tsh/keys/ directory and adds it to your openssh agent, if it is running.

Once you have the teleport key, you can issue a normal ssh command to the desired teleport node. Specify the remote username you want to connect as, along with the node name.

$ tsh login
Enter password for Teleport user jeff:
...
$ ssh ec2-user@foobar.root.example.com
[ec2-user@ip-172-31-23-243 ~]$

Explanation

The socat command says to take the local standard input/output and connect it through a proxy at proxy.example.com on port 8080. The %h and %p portions of the command are substituted in by ssh for the destination host and port that is being connected to (in this case the teleport proxy)

Please note that this socat option only works for an HTTP CONNECT proxy that is accessible over http://. The ssh connection itself is still secure-- the only non-encrypted portion of the connection is when socat asks the proxy for a socket to the teleport ssh proxy. The ssh client negotiates an encrypted ssh session from that point forward.

More details about socat can be found in its corresponding manual.

Debugging

When you issue your ssh command, its configured ProxyCommand issues another ssh command to communicate with the teleport proxy. That second ssh command calls the socat command to connect via the HTTP CONNECT proxy.

You can set verbose mode (-v, -vv, or -vvv) on the ssh command you are manually calling to get more information about how far along it is getting.

Likewise, you can update the .ssh/config file and set verbose mode in the ssh ProxyCommand used to connect to the teleport proxy.

To debug the socat command, you can call the socat command directly. Be sure to substitute the %h and %p for your actual teleport proxy.

$ socat stdio proxy:proxy.example.com:root.example.com:3023,proxyport=8080
SSH-2.0-Teleport

The SSH-2.0-Teleport that gets echoed back to the terminal indicates that socat successfully connected to the teleport ssh proxy.

socat will exit with an error code if it is having difficulty connecting. Some failure modes include:

  • HTTP CONNECT Proxy server itself returns a connection refused:

    $ socat stdio proxy:proxy.example.com:root.example.com:3023,proxyport=8081
    2021/01/11 13:26:32 socat[78100] E connect(7, LEN=16 AF=2 10.10.100.36:8081, 16): 
    Connection refused
    
  • Socat connects to HTTP CONNECT proxy, but the teleport ssh proxy returns a connection refused

    $ socat stdio proxy:proxy.example.com:root.example.com:30,proxyport=8080
    2021/01/11 13:28:53 socat[78118] E proxy_connect: connection closed by proxy