Unable to connect to cluster with tsh

[RobinHellgren]

I've set up a teleport cluster and while the web proxied ssh sessions work as expected, I'm running into an error when trying to connect with tsh.
Version:
Teleport v8.1.0 git:v8.1.0-0-g3dc269bef go1.17.3
tsh login --debug output

DEBU [CLIENT]    open /root/.tsh/***.yaml: no such file or directory client/api.go:710
INFO [CLIENT]    no host login given. defaulting to root client/api.go:1033
ERRO [CLIENT]    [KEY AGENT] Unable to connect to SSH agent on socket: "". client/api.go:2780
DEBU [CLIENT]    not using loopback pool for remote proxy addr: ***:4433 client/api.go:2745
Enter password for Teleport user ***:
Enter your OTP token:
***
DEBU [CLIENT]    not using loopback pool for remote proxy addr: ***:4433 client/api.go:2745
DEBU [CLIENT]    HTTPS client init(proxyAddr=***:4433, insecure=false) client/weblogin.go:212
DEBU [KEYAGENT]  Adding CA key for *** client/keyagent.go:289
DEBU [KEYSTORE]  Adding known host *** with proxy *** and key: *** client/keystore.go:539
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/***.pem" valid until "2022-01-16 10:20:34 +0000 UTC". client/keystore.go:280
DEBU [KEYAGENT]  Deleting obsolete stored key with index {ProxyHost:*** Username:*** ClusterName:***}. client/keyagent.go:437
INFO [KEYAGENT]  Loading SSH key for user "***" and cluster "***". client/keyagent.go:167
INFO [CLIENT]    Connecting proxy=***:4433 login="-***" client/api.go:2041
WARN [CLIENT]    Failed to authenticate with proxy ***:4433. error:[ssh: handshake failed: EOF] client/api.go:2045

ERROR REPORT:
Original Error: *errors.errorString ssh: handshake failed: EOF
Stack Trace:
	/go/src/github.com/gravitational/teleport/lib/client/api.go:2046 github.com/gravitational/teleport/lib/client.(*TeleportClient).connectToProxy
	/go/src/github.com/gravitational/teleport/lib/client/api.go:1962 github.com/gravitational/teleport/lib/client.(*TeleportClient).ConnectToProxy.func1
	/opt/go/src/runtime/asm_amd64.s:1371 runtime.goexit
User Message: failed to authenticate with proxy ***:4433
	ssh: handshake failed: EOF

teleport start --debug //error on login

Jan 16 20:47:05 teleport teleport[7058]: 2022-01-16T20:47:05+01:00 DEBU [KEYGEN]    generated user key for [-teleport-nologin-***] with expiry on (1642>
Jan 16 20:47:05 teleport teleport[7058]: 2022-01-16T20:47:05+01:00 INFO [CA]        Generating TLS certificate {***>
Jan 16 20:47:05 teleport teleport[7058]: 2022-01-16T20:47:05+01:00 DEBU [MX:PROXY:] Closing SSH connection: SSH listener is disabled. multiplexer/multiplexer.go:237

teleport start --debug //Empty SSH server address on startup

Jan 16 20:53:22 teleport teleport[7618]: 2022-01-16T20:53:22+01:00 INFO [PROXY:SER] SSH proxy service 8.1.0:v8.1.0-0-g3dc269bef is starting on . utils/cli.go:282
Jan 16 20:53:22 teleport teleport[7618]: 2022-01-16T20:53:22+01:00 INFO [PROXY:SER] SSH proxy service 8.1.0:v8.1.0-0-g3dc269bef is starting on {  } service/service.go:3015

teleport.yaml

version: v2
teleport:
  nodename: teleport
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: DEBUG
    format:
      output: text
  ca_pin: ***
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  public_addr: ***:3025
  cluster_name: ***
  proxy_listener_mode: multiplex
ssh_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3022
  public_addr: ***:3022
  labels:
    env: example
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "yes"
  tunnel_listen_addr: 0.0.0.0:3024
  tunnel_public_addr: ***
  kube_listen_addr: 0.0.0.0:3026
  kube_public_addr: ***:3026
  web_listen_addr: 0.0.0.0:4433
  public_addr: ***:4433
  https_keypairs: []
  https_cert_file: ***
  https_key_file: ***
kubernetes_service:
  enabled: yes
  listen_addr: 0.0.0.0:3027
  kubeconfig_file: "/etc/kube/config"

I replaced some text in the logs with *** for security/privacy reasons.

The log outputs suggest to me that the SSH server proxy isn't running, I'm unsure why this is and I haven't been able to find any info online that clarifies what this message means, I suspect that there's some configuration error that causes the SSH proxy not to start correctly but I've been unable to find what I need to change for it to work.

Any pointers to what I'm missing?

[webvictim]

This looks like an issue relating to the new multiplex listener mode. If you just remove that proxy_listener_mode: multiplex line and restart, things should work as expected.

(I'm assuming you don't particularly care about using it because the ports on all your public_addr entries are different)