Teleport over ssh via identity file

[igtsekov]

I found out that I can use identity files to log in to a node of the cluster, without login into the cluster.
I did these steps:

1. I create a pem file tctl auth sign --ttl=30h --user=<user> --out=file.pem
2. I copy it to the location that I want to ssh from.
3. I executed this command tsh --proxy=<proxy>:<port> ssh -i file.pem <user>@<IP>
4. Everything work as expected. I was successfully logged in to the node.

I want to optimize this to be used via ssh. So I created a .ssh/config

Host <IP>
  Port 3022
  ProxyCommand tsh --proxy=<proxy>:<port> ssh -i file.pem <user>@<IP>

In order to test it, but I get an error:

ssh <IP>
Bad packet length 218783322.
ssh_dispatch_run_fatal: Connection to UNKNOWN port 0: message authentication code incorrect

According to the ssh ProxyCommand dokumentation, this should be possible.
I am using teleport version 6.0.2 for the client and server.

Did someone try to do something like this? Is this even possible?

[webvictim]

tsh ssh isn't designed to be used directly as a ProxyCommand because it does more than just forward stdin/stdout (which is what a ProxyCommand expects).

You should be able to use ssh itself directly with its proxy subsystem:

Host <IP>
  User <user>
  Port 3022
  IdentityFile file.pem
  ProxyCommand ssh <proxy> -s proxy:%h:%p

Host <proxy>
  User <user>
  Port 3023
  IdentityFile file.pem

At this point, ssh <IP> by itself on the command line should work and can be used by Ansible/other tools which expect an ssh transport.

[igtsekov]

On the Jenkins node

ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYevSq4O7BrZ9xhaJHBzo4dCXbxaJamqouGkd1pIeZFgVs87/4nNh4CiUY+VmGoztkNk2KsDh9spgGvdbNOGAGXhNktrdRHL/R+lzx3hMfrHt39BCRWFIcDTRebt1rzhL2ihPsANaDdW9tHEUoCGoqlcSQT8CpwkHFqvf2ZJZ8RJExe5lvw0LKJIkGS9LvTj3xNWZjjkN8rgRkj830UlItqZ1iQCOQnP++tjpVIK3lN4auAdMzpvv29wv1uVlLXHPvDWlJMT5rMgtwQJS/xB0xqXAUD2xnenR13DqVWmIQF83utqs9etXsYixMiRaxApWMNyPMtcZadkUND0J9VIeJ jenkins.pem

After that, I ssh to the proxy node

ssh -p 3022 -A <PROXY-IP> -i jenkins.pem

On the proxy node

ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYevSq4O7BrZ9xhaJHBzo4dCXbxaJamqouGkd1pIeZFgVs87/4nNh4CiUY+VmGoztkNk2KsDh9spgGvdbNOGAGXhNktrdRHL/R+lzx3hMfrHt39BCRWFIcDTRebt1rzhL2ihPsANaDdW9tHEUoCGoqlcSQT8CpwkHFqvf2ZJZ8RJExe5lvw0LKJIkGS9LvTj3xNWZjjkN8rgRkj830UlItqZ1iQCOQnP++tjpVIK3lN4auAdMzpvv29wv1uVlLXHPvDWlJMT5rMgtwQJS/xB0xqXAUD2xnenR13DqVWmIQF83utqs9etXsYixMiRaxApWMNyPMtcZadkUND0J9VIeJ jenkins.pem

It seems that the key is forwarded correctly to the proxy.

[webvictim]

The key is forwarded correctly, but there is no SSH certificate present in either listing. You should see two entries - one for the key and one for the certificate.

It seems that jenkins.pem-cert.pub is still not being added to the SSH agent. How are you adding the key file?

Can you run ssh-keygen -Lf jenkins.pem-cert.pub and provide the output?

[igtsekov]

It works. I have ssh access via da proxy node. THANK YOU very much for the step by step help.

[webvictim]

You're very welcome, I'm glad we got there in the end.

For the benefit of the thread and anyone who may read this in future, could you please explain what the issue was in the end and how you fixed it?

[igtsekov]

To summarize it all
I needed to add --format=openssh to the tctl auth sign command.
When importing the keys into the ssh-agent I renamed the cert file by mistake, because of that it was not imported.
I needed to update the public cluster key that I generated with this command sudo tctl auth export --type=host > teleport_host_ca.pub. The change was that I substitute the cluster name with the IP range of the instances (192.*.*.*) and 🎉