New local user cannot connect to nodes in Teleport Enterprise

Issue:

A newly added local Teleport Enterprise user can authenticate to the Teleport auth server but is rejected when attempting to connect to a cluster node.

Log(s):

Nov 30 11:04:06 xxx.xxx.com teleport[22393]: INFO [AUDIT] auth addr.local:172.xx.xx.xx:3022 addr.remote:xx.xx.xx.xx:52527 code:T3007W ei:0 error:ssh: principal "demo-user" not in the set of valid principals for given certificate: ["-teleport-nologin-xxx"] event:auth login:demo-user success:false time:2020-11-30T18:04:06.026Z uid:xxx user:demo-user events/emitter.go:237

Analysis:

The above logs indicate that the user has not been mapped to a role and does not have configured permissions to access a given node.

In OSS Teleport if a local user is added via tctl users add the login for the local user is propagated through traits, where the user becomes part of the service.Userobject under traits which then get filled into{{internal.logins}}`.

This does not automatically happen for Enterprise users, however, as the expectation is to add {{external.claimName}} to allow logins to be fetched from an identity provider.

Solution(s):

There are a few ways to give a newly added local Enterprise user tsh ssh access to nodes:

  1. The user can be added explicitly to the Roles configuration logins section as follows:

    logins:
    - '{{internal.logins}}'
    - root
    - demo-user

    After being added in this manner the user will have to re-authenticate and should see their username show up explicitly in the “Logins” portion of the tsh status output.

  2. When creating a local Enterprise user via tctl users add, the --logins flag must be used along with the standard --roles flag as in the below example:

    tctl users add demo-user --roles=dev --logins=demo-user

    After completing new user registration and authenticating to the auth server demo-user should be able to log in to the appropriate nodes.