add TLS client cert and cookie injection to tsh #6831
Labels
c-bl
Internal Customer Reference
c-sq
Internal Customer Reference
feature-request
Used for new features in Teleport, improvements to current should be #enhancements
Comments
programmerq
added
feature-request
This was referenced Dec 15, 2021
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What
When teleport is behind a beyondcorp gateway appliance, any requests it makes over https must be made with a client certificate and also inject a cookie. The beyondcorp appliance then acts as a reverse proxy to teleport.
The beyond software on the end users' laptops provide a listening unix socket that handles injecting the correct client certificate, so that is also something that could work in place of the client certificate support.
a cURL example showing how the access is done:
curl https://teleport.example.com:3080/would become either:curl -E /path/to/client.crt --key /path/to/client.key --cookie "bc_auth_token: $(beyond-agent query -t)" https://teleport.example.com:3080/or
curl --unix-socket /path/to/beyond.sock --cookie "bc_auth_token: $(beyond-agent query -t)" https://teleport.example.com:3080/How
extend tsh to have arguments to allow for client cert and arbitrary cookie/header information.
Why
Teleport is installed behind a beyondcorp gateway appliance and these requirements (along with #6830) are necessary to get users to use teleport in this environment
Workaround
currently need to build a forked tsh with beyondcorp gateway logic added in.
The text was updated successfully, but these errors were encountered: