Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tsh scp with ~ fails when max_session is set to 1 #23593

Closed
Tracked by #22933
pschisa opened this issue Mar 24, 2023 · 0 comments · Fixed by #24254
Closed
Tracked by #22933

tsh scp with ~ fails when max_session is set to 1 #23593

pschisa opened this issue Mar 24, 2023 · 0 comments · Fixed by #24254
Assignees
@capnspacehook
Labels
bug c-dx Internal Customer Reference scp sftp Issues related to Teleport's SFTP implementation tsh tsh - Teleport's command line tool for logging into nodes running Teleport.

Comments

@pschisa
Copy link
Contributor

pschisa commented Mar 24, 2023

Expected behavior:
tsh scp some_file $USER@<node>:~ will succeed when max_session is set to 1 in the user role

Current behavior:
tsh scp some_file $USER@<node>:~ fails when max_session is set to 1 in the user role with the following error

$ tsh scp test.txt root@iamtheappman:~
ERROR: ssh: rejected: administratively prohibited (too many session channels for user "superpaul" (max=1))

Setting max_sessions: 2 or greater resolves the issue. Specifying the home directory explicitly works even with max_sessions: 1

$ tsh scp test.txt root@iamtheappman:/root
test.txt 100% |██████████████████████████████████████████████████████████████████| (97/97 B, 313 kB/s)

Bug details:

  • Teleport version
$ tsh version
Teleport v12.0.1 git:api/v12.0.1-0-ga27fce9275 go1.19.5
Proxy version: 12.1.2

  • Recreation steps
    In a cluster, assign yourself a role that sets max_sessions: 1 and grants you access to a node
    Run tsh scp some_file $USER@:/home/$USER/ and observe it works as expected
    Run tsh scp some_file $USER@:~ and observe that it breaks with the error

  • Debug logs

$ tsh -d scp test.txt root@iamtheappman:~
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.ZqjzKKJvBB/Listeners" client/api.go:3872
DEBU [KEYSTORE]  Reading certificates from path "/Users/paulschisa/.tsh/keys/test-cluster1.plainsofconquest.com/superpaul-ssh/ip-172-31-36-239-ec2-internal-cert.pub". client/keystore.go:339
DEBU [KEYSTORE]  Teleport TLS certificate valid until "2023-03-25 06:51:36 +0000 UTC". client/client_store.go:89
INFO [KEYAGENT]  Loading SSH key for user "superpaul" and cluster "ip-172-31-36-239-ec2-internal". client/keyagent.go:195
DEBU [KEYSTORE]  Teleport TLS certificate valid until "2023-03-25 06:51:36 +0000 UTC". client/client_store.go:89
DEBU [KEYSTORE]  Teleport TLS certificate valid until "2023-03-25 06:51:36 +0000 UTC". client/client_store.go:89
INFO [CLIENT]    Connecting to proxy=test-cluster1.plainsofconquest.com:443 login="root" using TLS Routing client/api.go:2778
DEBU [KEYSTORE]  Teleport TLS certificate valid until "2023-03-25 06:51:36 +0000 UTC". client/client_store.go:89
DEBU [HTTP:PROX] No proxy set in environment, returning direct dialer. proxy/proxy.go:301
DEBU [KEYSTORE]  Teleport TLS certificate valid until "2023-03-25 06:51:36 +0000 UTC". client/client_store.go:89
DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAglBnboY4SwM6gmpYFkr82AzMqx3awEjX7igKsM+EB2BoAAAADAQABAAABAQDfqNU5LkmqVpZ55NYz0gDrsz1wm9ctzCkAkw4a7XxkvWiBLvlNtnv609pLW3HyT32SjJRGiJ7OIynJXGPKitHbOIED9n+VVHWWh7VeTl7RW0SB7Lw8iFX/8+Szj2o3eHCMzxWw0j/uxQZbbyu0SkawCSTUJ6dFSeeXPZ4sjujALkqZNbK4giOH9soSbXyVGe9QMKdsgLflhPsp6iIjCBXvmcQflH/q3G9F1kiPzvfKTU4ZRA2B3l4DiaGJLyiYqvu/bxQrAxZ9AO2PDIa3B38QmCFzn8sz30XUn3CSLIxbXguiarR3eOpinVR1R2liSyQlUqOstFxYYI4Oj4GFwX9DAAAAAAAAAAAAAAACAAAAAAAAATsAAABCMzllMGJmZTYtYjBiMS00ZmM4LTkzNmMtMmJkODdmNmU2Yzc3LmlwLTE3Mi0zMS0zNi0yMzktZWMyLWludGVybmFsAAAAJDM5ZTBiZmU2LWIwYjEtNGZjOC05MzZjLTJiZDg3ZjZlNmM3NwAAADh0ZXN0LWNsdXN0ZXItbm9kZTEtdXMtZWFzdC5pcC0xNzItMzEtMzYtMjM5LWVjMi1pbnRlcm5hbAAAABp0ZXN0LWNsdXN0ZXItbm9kZTEtdXMtZWFzdAAAAAlsb2NhbGhvc3QAAAAJMTI3LjAuMC4xAAAAAzo6MQAAACJ0ZXN0LWNsdXN0ZXIxLnBsYWluc29mY29ucXVlc3QuY29tAAAAKHJlbW90ZS5rdWJlLnByb3h5LnRlbGVwb3J0LmNsdXN0ZXIubG9jYWwAAAAAY+pr9f//////////AAAAAAAAAF0AAAAUeC10ZWxlcG9ydC1hdXRob3JpdHkAAAAhAAAAHWlwLTE3Mi0zMS0zNi0yMzktZWMyLWludGVybmFsAAAAD3gtdGVsZXBvcnQtcm9sZQAAAAkAAAAFUHJveHkAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEA3aQcElB9GGFkE9lVYsJix8h6K6P5vo/MPCl4L582+Ppe2QpWY6bK2Z8XQ1HMtkXR18vnMY4a8Xv4PHob3fifTw1hzRFfbtWQdiihBD7y5oUZNZurBnKnELgVXxEgJYUBPWTNTF2wA2z6KoDX/w+cmUiTXp+WyDnlJiDXkWomsKCeRM+4oKee0I+Ht8qwMlyCS26Dqxlpl20h9mJalVRBhepK22wY24oOMFfqAinpD2dO61ocMj7rMiToRMe4ZboghCC18DXRtBxL2Zt1+qWVivp/vBQDiu7V1CrBRnoK85iGgPOxnMuk7E/XjXHUIv+0Pspz+UtZth63iWy6+/bbWwAAARQAAAAMcnNhLXNoYTItNTEyAAABANNWF2QHGRhFyzotmO6vRbvEGt9miypFPLVguyqh7YAGRJtkmRJ5T9/pBm+MSIwJOBPx2NAu/nje8PmNvQFiFwOf5/l2lMMPaxTTThaDItMHxaG2E36/tLJssT6K2TeyL2ADkCqIShiUs4pLRq4piuBiuS/CuRH2hc7yXmuW3SnzfURcgtcwZ0jxxFRBT5j9FagMhTj9frga3kIajlCYkGqRKRIXSeNAhnov+gxTNlU1cd/jAt5fjCsJvVGN4VANejYuSzW3CnmShSf+DuR0TqNj+laUvUYSmVUsdxRypjUHlLnR4eJVclVygxHq53W32A/lJcCs/z0FSEnUslVuXs8=\n." client/keyagent.go:367
DEBU [KEYAGENT]  Validated host test-cluster1.plainsofconquest.com:443. client/keyagent.go:373
INFO [CLIENT]    Successful auth with proxy test-cluster1.plainsofconquest.com:443. client/api.go:2783
DEBU [KEYSTORE]  Teleport TLS certificate valid until "2023-03-25 06:51:36 +0000 UTC". client/client_store.go:89
INFO [CLIENT]    Client= connecting to node=iamtheappman on cluster ip-172-31-36-239-ec2-internal client/client.go:1473
DEBU [KEYSTORE]  Teleport TLS certificate valid until "2023-03-25 06:51:36 +0000 UTC". client/client_store.go:89
DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg3yFwx7qytwtY46BBs79+tVov5eZsbOfKWxSwDv0C3dgAAAADAQABAAABAQDCrDOWhMeNV1IiM5znWEX4iDwXCqvGH0NW1Km6Dts/lxEOUjMYrGyI0gVRr/RZ6tJ41tpleKEAy1mLUqU/rpXCDG70dnbBYNDr52QUnp1d7LsaUz6BOKbmuTS3GB2oFf0n1fSxUOjphb/RSof/Dynp8eS0agt3nn5dqsEgu4y+98+TTZWQ2gKsaR8w7ZN1k/Jv6QUotWwdbmM3K/RH+S/rWn2ZrbYmmMJRu4KSymbUtmfkBFytuzmaqvEHEiptVlWar7CXa9/vuAvEV+EHGRI/+gJP+y9tUyuigLVD2YmwXaQuGDFW3rQjYqFEVXTcO+WUynYVT3KhEi41EO65FjoBAAAAAAAAAAAAAAACAAAAAAAAAOoAAABCMTIxZWI3YjEtZjNjYi00MTQ1LTg0MjUtYTk0MzIxMjQ0NjIwLmlwLTE3Mi0zMS0zNi0yMzktZWMyLWludGVybmFsAAAAJDEyMWViN2IxLWYzY2ItNDE0NS04NDI1LWE5NDMyMTI0NDYyMAAAACppYW10aGVhcHBtYW4uaXAtMTcyLTMxLTM2LTIzOS1lYzItaW50ZXJuYWwAAAAMaWFtdGhlYXBwbWFuAAAACWxvY2FsaG9zdAAAAAkxMjcuMC4wLjEAAAADOjoxAAAACGRyb3B0ZXN0AAAADTE3Mi4zMS45NC4xNzQAAAAAZBIpd///////////AAAAAAAAAFwAAAAUeC10ZWxlcG9ydC1hdXRob3JpdHkAAAAhAAAAHWlwLTE3Mi0zMS0zNi0yMzktZWMyLWludGVybmFsAAAAD3gtdGVsZXBvcnQtcm9sZQAAAAgAAAAETm9kZQAAAAAAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDdpBwSUH0YYWQT2VViwmLHyHoro/m+j8w8KXgvnzb4+l7ZClZjpsrZnxdDUcy2RdHXy+cxjhrxe/g8ehvd+J9PDWHNEV9u1ZB2KKEEPvLmhRk1m6sGcqcQuBVfESAlhQE9ZM1MXbADbPoqgNf/D5yZSJNen5bIOeUmINeRaiawoJ5Ez7igp57Qj4e3yrAyXIJLboOrGWmXbSH2YlqVVEGF6krbbBjbig4wV+oCKekPZ07rWhwyPusyJOhEx7hluiCEILXwNdG0HEvZm3X6pZWK+n+8FAOK7tXUKsFGegrzmIaA87Gcy6TsT9eNcdQi/7Q+ynP5S1m2HreJbLr79ttbAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAsd55YKEtn6zrRqsFNnoK5R9hhzjJNliIKCsOkRfjKa/cU0a458YD3l+ipgAv9nq97fu4jVHTHy8/5fHduO6/BM75HgSo4TALwBN8bCIe1FIReA9MJkRWonEznMhfjbwkKzPlBORXYFwOxf+QHl4YmPqQ2ikp88/uGQW1/jHFg6loPYAjID8IspQ9YFWz6Kn99+Mawrvo55nBuFvRZrLV73ccWrQPmSASn1Q9Z3odFUI20XbtKEmx56IOs5NdyuuYtpG9ilncj7WRBid6tiWemosVLyTu42Bxb5FrdSO/LDuFlUj4mcyzalC4s689HHENYDKeDZD7avZrf5ZM5UeI7A==\n." client/keyagent.go:367
DEBU [KEYAGENT]  Validated host iamtheappman:0@default@ip-172-31-36-239-ec2-internal. client/keyagent.go:373

ERROR REPORT:
Original Error: *ssh.OpenChannelError ssh: rejected: administratively prohibited (too many session channels for user &#34;superpaul&#34; (max=1))
Stack Trace:
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:258 github.com/gravitational/teleport/lib/sshutils/sftp.getRemoteHomeDir
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:201 github.com/gravitational/teleport/lib/sshutils/sftp.(*Config).initFS.func1
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:229 github.com/gravitational/teleport/lib/sshutils/sftp.expandPath
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:218 github.com/gravitational/teleport/lib/sshutils/sftp.(*Config).expandPaths
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:205 github.com/gravitational/teleport/lib/sshutils/sftp.(*Config).initFS
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:167 github.com/gravitational/teleport/lib/sshutils/sftp.(*Config).TransferFiles
	github.com/gravitational/teleport/lib/client/client.go:1893 github.com/gravitational/teleport/lib/client.(*NodeClient).TransferFiles
	github.com/gravitational/teleport/lib/client/api.go:2014 github.com/gravitational/teleport/lib/client.(*TeleportClient).TransferFiles
	github.com/gravitational/teleport/lib/client/api.go:1916 github.com/gravitational/teleport/lib/client.(*TeleportClient).SFTP
	github.com/gravitational/teleport/tool/tsh/tsh.go:2991 main.onSCP.func1
	github.com/gravitational/teleport/lib/client/api.go:501 github.com/gravitational/teleport/lib/client.RetryWithRelogin
	github.com/gravitational/teleport/tool/tsh/tsh.go:2990 main.onSCP
	github.com/gravitational/teleport/tool/tsh/tsh.go:1070 main.Run
	github.com/gravitational/teleport/tool/tsh/tsh.go:475 main.main
	runtime/proc.go:250 runtime.main
	runtime/asm_amd64.s:1594 runtime.goexit
User Message: ssh: rejected: administratively prohibited (too many session channels for user &#34;superpaul&#34; (max=1))

ERROR REPORT:
Original Error: *ssh.OpenChannelError ssh: rejected: administratively prohibited (too many session channels for user &#34;superpaul&#34; (max=1))
Stack Trace:
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:258 github.com/gravitational/teleport/lib/sshutils/sftp.getRemoteHomeDir
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:201 github.com/gravitational/teleport/lib/sshutils/sftp.(*Config).initFS.func1
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:229 github.com/gravitational/teleport/lib/sshutils/sftp.expandPath
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:218 github.com/gravitational/teleport/lib/sshutils/sftp.(*Config).expandPaths
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:205 github.com/gravitational/teleport/lib/sshutils/sftp.(*Config).initFS
	github.com/gravitational/teleport/lib/sshutils/sftp/sftp.go:167 github.com/gravitational/teleport/lib/sshutils/sftp.(*Config).TransferFiles
	github.com/gravitational/teleport/lib/client/client.go:1893 github.com/gravitational/teleport/lib/client.(*NodeClient).TransferFiles
	github.com/gravitational/teleport/lib/client/api.go:2014 github.com/gravitational/teleport/lib/client.(*TeleportClient).TransferFiles
	github.com/gravitational/teleport/lib/client/api.go:1916 github.com/gravitational/teleport/lib/client.(*TeleportClient).SFTP
	github.com/gravitational/teleport/tool/tsh/tsh.go:2991 main.onSCP.func1
	github.com/gravitational/teleport/lib/client/api.go:501 github.com/gravitational/teleport/lib/client.RetryWithRelogin
	github.com/gravitational/teleport/tool/tsh/tsh.go:2990 main.onSCP
	github.com/gravitational/teleport/tool/tsh/tsh.go:1070 main.Run
	github.com/gravitational/teleport/tool/tsh/tsh.go:475 main.main
	runtime/proc.go:250 runtime.main
	runtime/asm_amd64.s:1594 runtime.goexit
User Message: ssh: rejected: administratively prohibited (too many session channels for user &#34;superpaul&#34; (max=1))
@pschisa pschisa added bug tsh tsh - Teleport's command line tool for logging into nodes running Teleport. c-dx Internal Customer Reference labels Mar 24, 2023
@zmb3 zmb3 added the scp label Mar 24, 2023
@zmb3 zmb3 mentioned this issue Mar 24, 2023
Closed
@jakule jakule added the sftp Issues related to Teleport's SFTP implementation label Mar 24, 2023
@capnspacehook capnspacehook mentioned this issue Apr 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@capnspacehook capnspacehook

Labels
bug c-dx Internal Customer Reference scp sftp Issues related to Teleport's SFTP implementation tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Let SFTP server figure out remote users home directories gravitational/teleport
4 participants
@zmb3 @jakule @capnspacehook @pschisa