Appropriately privileged clients should be able to bounce agentless connections for the Proxy Service #52499
Labels
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
OpenSSH
For customers using Teleport and OpenSSH
server-access
Comments
espadolini
added
feature-request
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like Teleport to do?
I would like for Teleport client tooling to support bouncing an SSH connection to an agentless (OpenSSH) server through a Teleport Proxy service.
What problem does this solve?
For breakglass access in case a Teleport agent is malfunctioning or was misconfigured - but with a fully working control plane - configuring hosts to authenticate Teleport agentless connections from the Proxy in their OpenSSH sshd helps, but it requires inbound connectivity from the control plane to the server itself. If we allowed the ability for the client to forward a connection from the proxy to the destination server, connectivity requirements for breakglass access become barely more onerous than "traditional" ssh access, requiring direct connectivity in any way from the client to the server, and requiring connectivity from the client to the Teleport control plane.
If a workaround exists, please include it.
The ability to do this forwarding with an "ephemeral" agentless node has the same security implications of being able to create an agentless node - and, in fact, it is currently possible to just open a port forwarding server somewhere that's directly reachable from the control plane and to create an agentless server entry in the cluster pointing to the forwarding server.
The text was updated successfully, but these errors were encountered: