Logging in Teleport with tsh

teleport
#1

How can I use tsh to logon to the nodes?
I always get acces denied to user when connecting although the user is connected to the cluster with tsh login and the user is an valid user on the node.
I am probably doing something wrong but I can’t seem to figure out what?
For info … i can logon just fine with the web app…

root@stone:/etc# tsh login --proxy=192.168.1.3 --user=user --insecure -d
INFO [CLIENT] no host login given. defaulting to root client/api.go:784
ERRO [CLIENT] [KEY AGENT] Unable to connect to SSH agent on socket: “”. client/api.go:2105
DEBU [CLIENT] not using loopback pool for remote proxy addr: 192.168.1.3:3080 client/api.go:2070
DEBU [CLIENT] HTTPS client init(proxyAddr=192.168.1.3:3080, insecure=true) client/weblogin.go:252
WARNING: You are using insecure connection to SSH proxy https://192.168.1.3:3080
Enter password for Teleport user user:
Enter your OTP token:
xxxxx
DEBU [CLIENT] not using loopback pool for remote proxy addr: 192.168.1.3:3080 client/api.go:2070
DEBU [CLIENT] HTTPS client init(proxyAddr=192.168.1.3:3080, insecure=true) client/weblogin.go:252
WARNING: You are using insecure connection to SSH proxy https://192.168.1.3:3080
DEBU [KEYAGENT] Adding CA key for cluster01 client/keyagent.go:238
DEBU [KEYSTORE] Adding known host cluster01 with key: SHA256:LPd96/2hJ72Dzm+e8pKdtk+28ebUnzKirCOWaZtXyd8 client/keystore.go:355
INFO [CLIENT] Connecting proxy=192.168.1.3:3023 login=‘user’ method=0 client/api.go:1603
DEBU [KEYAGENT] Validated host 192.168.1.3:3023. client/keyagent.go:280
INFO [CLIENT] Successful auth with proxy 192.168.1.3:3023 client/api.go:1594
DEBU [KEYSTORE] Adding trusted cluster certificate authority “SERIALNUMBER=42343966368602010319466438670856638535,CN=cluster01,O=cluster01” to trusted pool. client/keystore.go:328
DEBU [KEYSTORE] Returning SSH certificate “/root/.tsh/keys/192.168.1.3/user-cert.pub” valid until “2020-05-30 00:49:18 +0200 CEST”, TLS certificate “/root/.tsh/keys/192.168.1.3/user-x509.pem” valid until “2020-05-29 22:49:18 +0000 UTC”. client/keystore.go:262
DEBU [CLIENT] Client is connecting to auth server on cluster “cluster01”. client/client.go:469
DEBU [KEYAGENT] Adding CA key for cluster01 client/keyagent.go:238
DEBU [KEYSTORE] Adding known host cluster01 with key: SHA256:LPd96/2hJ72Dzm+e8pKdtk+28ebUnzKirCOWaZtXyd8 client/keystore.go:355
WARN [CLIENT] Failed to remove symlink: remove /root/.tsh/profile: no such file or directory client/profile.go:155
DEBU [KEYSTORE] Returning SSH certificate “/root/.tsh/keys/192.168.1.3/user-cert.pub” valid until “2020-05-30 00:49:18 +0200 CEST”, TLS certificate “/root/.tsh/keys/192.168.1.3/user-x509.pem” valid until “2020-05-29 22:49:18 +0000 UTC”. client/keystore.go:262

Profile URL: https://192.168.1.3:3080
Logged in as: user
Cluster: cluster01
Roles: admin*
Traits: kubernetes_groups: []
logins: [user]
Logins: user
Valid until: 2020-05-30 00:49:18 +0200 CEST [valid for 12h0m0s]
Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty

Profile URL: https://192.168.1.3:3080
Logged in as: user
Cluster: cluster01
Roles: admin*
Logins: user
Valid until: 2020-05-30 00:49:18 +0200 CEST [valid for 12h0m0s]
Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty

centap 192.168.1.35:3022 arch=x86_64, db_role=master
db_type=postgres, hostname=centap
centprx 192.168.1.3:3022 arch=x86_64, environment=test
hostname=centprx, role=proxy
type=vm

root@stone:/etc# tsh ssh user@192.168.1.3
error: access denied to user connecting to 192.168.1.3 on cluster cluster01
root@stone:/etc# tsh ssh user@192.168.1.3 --user=user
error: access denied to user connecting to 192.168.1.3 on cluster cluster01
root@stone:/etc# tsh ssh --proxy=192.168.1.3 --user=user user@192.168.1.3
error: access denied to user connecting to 192.168.1.3 on cluster cluster01
root@stone:/etc# tsh ssh user@192.168.1.3 --user=user

#2

Hey @filland,

Can you confirm your teleport version and share your Teleport config on the proxy?

I’ve seen this recently, and it was resolved by setting your nodename to be the same as public_addr on the proxy server in the config. This may be a bug you are running into, but I’ll follow up on that.

#3

Hi abdu,
My current teleport version is Teleport v4.2.3 git:v4.2.3-0-g933c47b4 go1.13.2 on the proxy and Auth server is Teleport v4.2.3 git:v4.2.3-0-g933c47b4 go1.13.2.

The config on the proxy is
teleport:
nodename: TP-PRX-main
data_dir: /var/lib/teleport
pid_file: /var/run/teleport.pid
auth_token: Q4FSBaW0SgABaFRNiBrj1SFUZmYEMKYy6i2mANtM5YnjO6ZEqdAals3FGbBTzYQP
auth_servers:

  • 10.2.20.1:3025
    connection_limits:
    max_connections: 15000
    max_users: 250
    log:
    output: stderr
    severity: INFO
    ca_pin: “”
    auth_service:
    enabled: “no”
    cluster_name: “main”
    listen_addr: 0.0.0.0:3025
    tokens:
  • proxy,node:Q4FSBaW0SgABaFRNiBrj1SFUZmYEMKYy6i2mANtM5YnjO6ZEqdAals3FGbBTzYQP
    session_recording: “”
    client_idle_timeout: 0s
    disconnect_expired_cert: false
    keep_alive_count_max: 0
    ssh_service:
    enabled: “yes”
    labels:
    role: member
    type: Proxy
    commands:
  • name: hostname
    command: [/usr/bin/hostname]
    period: 1m0s
  • name: arch
    command: [/usr/bin/uname, -p]
    period: 1h0m0s
    proxy_service:
    enabled: “yes”
    listen_addr: 0.0.0.0:3023
    web_listen_addr: 0.0.0.0:3080
    tunnel_listen_addr: 0.0.0.0:3024
    public_addr: TP-PRX-main

I have the pubic_addr set as the hostname of the server …

#4

@filland Sorry for the delay.

Please set the log level on the auth and proxy servers to DEBUG:

teleport:
  log:
    output: stderr
    severity: DEBUG

then restart Teleport on each server. Try logging in again with this command:

tsh ssh -d user@192.168.1.3

Share all the logs here and we should be able to figure out what the issue is. If things are working via web UI then it looks like your role configurations are fine - there is just some issue which is preventing tsh from working correctly.