scp to agentless nodes allowed in spite of RBAC denial #24949

nklaassen · 2023-04-20T23:25:02Z

Expected behavior:

When ssh_file_copy is set to false in a user's role, they are blocked from using tsh scp for any target node, including agentless nodes.

Current behavior:

tsh scp and OpenSSH scp both work to copy files to/from agentless nodes without error.
The action is correctly denied for teleport nodes.

I'm not sure if it's technically even possible to block file copies, but the test plan indicates the expected behaviour is to block it. So we should either fix this or update the test plan (and docs).

Bug details:

Teleport version: v13.0.0-alpha.1
Recreation steps: Create an agentless node. Create a role with ssh_file_copy: false. Assign the role to a user and try tsh scp file user@agentless-node:
Debug logs

The text was updated successfully, but these errors were encountered:

nklaassen added bug test-plan-problem Issues which have been surfaced by running the manual release test plan scp agentless labels Apr 20, 2023

nklaassen assigned capnspacehook Apr 20, 2023

nklaassen mentioned this issue Apr 20, 2023

Teleport 13 Test Plan #24576

Closed

capnspacehook mentioned this issue Apr 21, 2023

fix file copy check not happening for agentless SSH connections #25012

Merged

capnspacehook linked a pull request Apr 21, 2023 that will close this issue

fix file copy check not happening for agentless SSH connections #25012

Merged

capnspacehook closed this as completed in #25012 Apr 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

scp to agentless nodes allowed in spite of RBAC denial #24949

scp to agentless nodes allowed in spite of RBAC denial #24949

nklaassen commented Apr 20, 2023

scp to agentless nodes allowed in spite of RBAC denial #24949

scp to agentless nodes allowed in spite of RBAC denial #24949

Comments

nklaassen commented Apr 20, 2023