Using the standard ssh client instead of tsh

I’m trying to use the standard ssh client with teleport so that I can create Ansible playbooks that can access my systems behind the proxy. I’ve followed the instructions
and after logging into the proxy, i’m unable to connect to any systems using ssh. When I try, i see the following:

xxx@teleport-proxy-xxx.net: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host

and in the log on the proxy, I see this:

Sep 10 18:31:02 ip-10-1-9-236 /usr/local/bin/teleport[2746]: WARN [PROXY] failed login attempt events.EventFields{“success”:false, “error”:“ssh: principal “myusername” not in the set of valid principals for given certificate: [“targetusername”]”, “user”:“mysusername”} fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:rLeLrEsA5qmRWWshaUz2BMjfd6f74Ke/jeqnMy6XxjA local:10.1.9.236:3023 remote:3.16.32.130:51286 user:myusername srv/authhandlers.go:166

I’ve looked up this error and the only examples i’ve found talk about hostnames in the principal, not usernames.

logging in with tsh works fine

Hi - firstly, sorry for the delay in response.

  • What’s the SSH command you’re trying to use to log in?
  • Can you please share the outputs of:
    • tsh status after logging in
    • ssh-add -l?
  • If you’ve changed ~/.ssh/config, can you please share details of the changes you’ve made?

In general, this error is related to you trying to log in with a different principal (system user) to what is permitted by the certificate that Teleport has issued. As the error is coming from the Teleport proxy, it might be that you need to provide a valid username in the -J (jumphost) argument to your ssh command.

Thanks!

After tsh login i have tsh status shows something like this:

Profile URL: xxxx
Logged in as: mygithubusername
Roles: admin*
Logins: targetaccountname
Valid until: 2020-09-21 16:22:36 -0400 EDT [valid for 58m0s]
Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty

ssh-add -l

2048 SHA256:mJ9spDmbqF0PC8PQBBQMyxxzUNZdNXy4iAc/3gEaZqc teleport:mygithubusername (RSA-CERT)
2048 SHA256:mJ9spDmbqF0PC8PQBBQMyxxzUNZdNXy4iAc/3gEaZqc teleport:mygithubusername (RSA)

We are using github for authentication

my ssh/config file

Host ip-10-1-1-115
Port 3022
ProxyJump teleport-myproxy.net:3023

and the command line i’m using looks like this:
ssh targetaccountname @ ip-10-1-1-115

when I do that, I get this:
mylocalusername @ teleport-myproxy.net: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host

i’ve also adjusted the ssh/config file to add mygithubusername to the proxy but get similar results.

The error I see in the proxy logs is:

Sep 21 19:28:26 ip-10-1-9-236 /usr/local/bin/teleport[2442]: WARN [PROXY] failed login attempt events.EventFields{“user”:“mygithubusername”, “success”:false, “error”:“ssh: principal “mylocalusername” not in the set of valid principals for given certificate: [“targetaccount”]”} fingerprint:ssh-rsa-cert-v01 @openssh.com SHA256:QH9Ugj+KX4vRXxD75IrjOc395hpUNrBOt1R6Fl/yd20 local:10.1.9.236:3023 remote:3.16.32.120:63214 user:mylocalusername srv/authhandlers.go:166

I’ve also tried this by putting everything on the command line:

ssh -J mygithubusername@teleport-myproxy.net:3023 targetaccountname@ip-10-1-1-115

Note: in the reply above I had to mess with bits of the format to submit it otherwise i get some error about only being allowed to have two links in my post (very annoying)

Sorry - this is a Discourse ‘feature’ designed to prevent spam. I’ve tried to tweak the settings a bit so it won’t be so picky.

This means that you can only authenticate over SSH as targetaccountname - so theoretically, this command should work:

ssh -J targetaccountname@teleport-myproxy.net:3023 targetaccountname@ip-10-1-1-115

If the targetaccountname login doesn’t exist on the proxy, you’ll need to either create it, or modify your Teleport admin role so that it also grants a login which does exist on the proxy.

When I try that I get

channel 0: open failed: unknown channel type: unknown channel type: direct-tcpip
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host

Any logs from the Teleport proxy while that’s going on? It might also help to try using ssh -vv to get some increased debug output from ssh.

It looks to me like authentication is working

debug1: Offering public key: teleport:xxxx RSA-CERT SHA256:xAXHg3CaQdfUYiVyOvdyFzBtr9OS04Z/AEFZCG9j/3o agent
debug1: Server accepts key: teleport:xxxx RSA-CERT SHA256:xAXHg3CaQdfUYiVyOvdyFzBtr9OS04Z/AEFZCG9j/3o agent
debug1: Authentication succeeded (publickey).
Authenticated to teleport-xxxx.net ([72.44.55.225]:3023).
debug1: channel_connect_stdio_fwd ip-10-1-1-222:3022
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Entering interactive session.
debug1: pledge: network
channel 0: open failed: unknown channel type: unknown channel type: direct-tcpip
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host

Nothing in the proxy log

I found this

I got it to work with an ssh config file that looks something like this:

Host ip-10-1-1-222
Port 3022
IdentityFile ~/.ssh/targetuser
ProxyCommand ssh -p 3023 %r@teleport-proxy.net -s proxy:%h:%p

1 Like

Good news. I don’t know why the ProxyJump directive isn’t working - I’ll look into it.