Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Documentation for ssh_port_forwarding role option #50361

Merged
merged 1 commit into from
Dec 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions docs/pages/admin-guides/api/rbac.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -859,7 +859,11 @@ spec:
enabled: true
max_session_ttl: 30h0m0s
pin_source_ip: false
port_forwarding: true
ssh_port_forwarding:
remote:
enabled: true
local:
enabled: true
record_session:
default: best_effort
desktop: true
Expand Down Expand Up @@ -906,7 +910,11 @@ spec:
enabled: true
max_session_ttl: 30h0m0s
pin_source_ip: false
port_forwarding: true
ssh_port_forwarding:
remote:
enabled: true
local:
enabled: true
record_session:
default: best_effort
desktop: true
Expand Down
14 changes: 12 additions & 2 deletions docs/pages/enroll-resources/server-access/rbac.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -135,8 +135,18 @@ spec:
create_host_user_mode: keep
# forward_agent controls whether SSH agent forwarding is allowed
forward_agent: true
# port_forwarding controls whether TCP port forwarding is allowed for SSH
port_forwarding: true
# ssh_port_forwarding controls which TCP port forwarding modes are allowed over SSH. This replaces
# the deprecated port_forwarding field, which did not differentiate between remote and local
# port forwarding modes. If you have any existing roles that allow forwarding by enabling the
# legacy port_forwarding field then the forwarding controls configured in ssh_port_forwarding will be
# ignored.
ssh_port_forwarding:
# configures remote port forwarding behavior
remote:
enabled: true
# configures local port forwarding behavior
local:
enabled: true
# ssh_file_copy controls whether file copying (SCP/SFTP) is allowed.
# Defaults to true.
ssh_file_copy: false
Expand Down
14 changes: 12 additions & 2 deletions docs/pages/includes/role-spec.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,18 @@ spec:
max_session_ttl: 8h
# forward_agent controls whether SSH agent forwarding is allowed
forward_agent: true
# port_forwarding controls whether TCP port forwarding is allowed for SSH
port_forwarding: true
# ssh_port_forwarding controls which TCP port forwarding modes are allowed over SSH. This replaces
# the deprecated port_forwarding field, which did not differentiate between remote and local
# port forwarding modes. If you have any existing roles that allow forwarding by enabling the
# legacy port_forwarding field then the forwarding controls configured in ssh_port_forwarding will be
# ignored.
ssh_port_forwarding:
# configures remote port forwarding behavior
remote:
enabled: true
# configures local port forwarding behavior
local:
enabled: true
# ssh_file_copy controls whether file copying (SCP/SFTP) is allowed.
# Defaults to true.
ssh_file_copy: false
Expand Down
2 changes: 1 addition & 1 deletion docs/pages/reference/access-controls/roles.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ user:
| - | - | - |
| `max_session_ttl` | Max. time to live (TTL) of a user's SSH certificates | The shortest TTL wins |
| `forward_agent` | Allow SSH agent forwarding | Logical "OR" i.e. if any role allows agent forwarding, it's allowed |
| `port_forwarding` | Allow TCP port forwarding | Logical "OR" i.e. if any role allows port forwarding, it's allowed |
| `ssh_port_forwarding` | Allow TCP port forwarding | Logical "AND" i.e. if any role denies port forwarding, it's denied |
| `ssh_file_copy` | Allow SCP/SFTP | Logical "AND" i.e. if all roles allows file copying, it's allowed |
| `client_idle_timeout` | Forcefully terminate active sessions after an idle interval | The shortest timeout value wins, i.e. the most restrictive value is selected |
| `disconnect_expired_cert` | Forcefully terminate active sessions when a client certificate expires | Logical "OR" i.e. evaluates to "yes" if at least one role requires session termination |
Expand Down
14 changes: 11 additions & 3 deletions docs/pages/reference/terraform-provider/resources/role.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,17 @@ resource "teleport_role" "example" {

spec = {
options = {
forward_agent = false
max_session_ttl = "7m"
port_forwarding = false
forward_agent = false
max_session_ttl = "7m"
ssh_port_forwarding = {
remote = {
enabled = false
}

local = {
enabled = false
}
}
client_idle_timeout = "1h"
disconnect_expired_cert = true
permit_x11_forwarding = false
Expand Down
6 changes: 5 additions & 1 deletion examples/resources/admin.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,5 +28,9 @@ spec:
- network
forward_agent: true
max_session_ttl: 30h0m0s
port_forwarding: true
ssh_port_forwarding:
remote:
enabled: true
local:
enabled: true
version: v3
6 changes: 5 additions & 1 deletion examples/resources/user.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,5 +56,9 @@ spec:
- network
forward_agent: true
max_session_ttl: 30h0m0s
port_forwarding: true
ssh_port_forwarding:
remote:
enabled: true
local:
enabled: true
version: v3
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,17 @@ resource "teleport_role" "example" {

spec = {
options = {
forward_agent = false
max_session_ttl = "7m"
port_forwarding = false
forward_agent = false
max_session_ttl = "7m"
ssh_port_forwarding = {
remote = {
enabled = false
}

local = {
enabled = false
}
}
client_idle_timeout = "1h"
disconnect_expired_cert = true
permit_x11_forwarding = false
Expand Down
38 changes: 36 additions & 2 deletions integrations/terraform/reference.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -2051,7 +2051,8 @@ Options is for OpenSSH options like agent forwarding.
| max_sessions | number | | MaxSessions defines the maximum number of concurrent sessions per connection. |
| permit_x11_forwarding | bool | | PermitX11Forwarding authorizes use of X11 forwarding. |
| pin_source_ip | bool | | PinSourceIP forces the same client IP for certificate generation and usage |
| port_forwarding | bool | | |
| ssh_port_forwarding | object | | SSHPortForwarding configures what types of SSH port forwarding are allowed by a role. |
| port_forwarding | bool | | Deprecated: Use SSHPortForwarding instead. |
| record_session | object | | RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false. |
| request_access | string | | RequestAccess defines the access request strategy (optional|note|always) where optional is the default. |
| request_prompt | string | | RequestPrompt is an optional message which tells users what they aught to request. |
Expand Down Expand Up @@ -2085,6 +2086,31 @@ SAML are options related to the Teleport SAML IdP.
|---------|------|----------|-------------|
| enabled | bool | | |

##### spec.options.ssh_port_forwarding

SSHPortForwarding configures what types of SSH port forwarding are allowed by a role.

| Name | Type | Required | Description |
|--------|--------|----------|-----------------------------------------------------------|
| remote | object | | remote contains options related to remote port forwarding |
| local | object | | local contains options related to local port forwarding |

###### spec.options.ssh_port_forwarding.remote

remote contains options related to remote port forwarding

| Name | Type | Required | Description |
|---------|------|----------|-------------|
| enabled | bool | | |

###### spec.options.ssh_port_forwarding.local

local contains options related to local port forwarding

| Name | Type | Required | Description |
|---------|------|----------|-------------|
| enabled | bool | | |

##### spec.options.record_session

RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false.
Expand Down Expand Up @@ -2114,11 +2140,19 @@ resource "teleport_role" "example" {
options = {
forward_agent = false
max_session_ttl = "7m"
port_forwarding = false
client_idle_timeout = "1h"
disconnect_expired_cert = true
permit_x11_forwarding = false
request_access = "denied"
ssh_port_forwarding = {
remote = {
enabled = false
}
local = {
enabled = false
}
}
}
allow = {
Expand Down
6 changes: 5 additions & 1 deletion rfd/0007-rbac-oss.md
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,11 @@ role:
name: user
spec:
options:
port_forwarding: true
ssh_port_forwarding:
remote:
enabled: true
local:
enabled: true
Comment on lines +93 to +97
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These RFD edits probably weren't necessary, but I figured it doesn't hurt to keep example configurations accurate

max_session_ttl: 30h
forward_agent: true
enhanced_recording: ['command', 'network']
Expand Down
6 changes: 5 additions & 1 deletion rfd/0008-application-access.md
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,11 @@ version: v3
spec:
options:
forward_agent: true
port_forwarding: false
ssh_port_forwarding:
remote:
enabled: false
local:
enabled: false
allow:
logins: ["rjones"]
# Application labels define labels that an application must match for this
Expand Down
Loading