Teleport's internal hostname matching should be case-insensitive

[webvictim]

What happened: As far as Teleport is concerned, MyServer is not the same hostname as myserver. This isn't how DNS handles the same thing.

What you expected to happen: MyServer should be evaluated the same way as myserver.

How to reproduce it (as minimally and precisely as possible): Log into a Teleport cluster and try to SSH to a node with mixed case letters.

$ tsh ls 
Node Name       Address         Labels                                                    
--------------- --------------- --------------------------------------------------------- 
antaeusLaptop   ⟵ Tunnel        arch=x86_64, hardware=laptop                              
                                hostname=antaeus, owner=gus                               
gus-main-auth-0 127.0.0.1:3022  environment=demo, kernel=4.14.137+                        
                                role=auth, uptime=up 2 weeks, 2 days, 6 hours, 38 minutes 
gus-main-node-0 10.4.0.125:3022 environment=demo, kernel=4.14.137+                        
                                role=node, uptime=up 2 weeks, 2 days, 6 hours, 38 minutes 
gus-main-node-1 10.4.0.126:3022 environment=demo, kernel=4.14.137+                        
                                role=node, uptime=up 2 weeks, 2 days, 6 hours, 38 minutes 
gus-main-node-2 10.4.0.127:3022 environment=demo, kernel=4.14.137+                        
                                role=node, uptime=up 2 weeks, 2 days, 6 hours, 38 minutes 

$ tsh ssh root@antaeuslaptop
error: "failed connecting to node antaeuslaptop. \nERROR REPORT:\nOriginal Error: *net.OpError dial tcp: lookup antaeuslaptop on 10.7.240.10:53: no such host\nStack Trace:\n\t/gopath/src/github.com/gravitational/teleport/lib/reversetunnel/localsite.go:276 github.com/gravitational/teleport/lib/reversetunnel.(*localSite).getConn\n\t/gopath/src/github.com/gravitational/teleport/lib/reversetunnel/localsite.go:189 github.com/gravitational/teleport/lib/reversetunnel.(*localSite).DialTCP\n\t/gopath/src/github.com/gravitational/teleport/lib/reversetunnel/localsite.go:183 github.com/gravitational/teleport/lib/reversetunnel.(*localSite).Dial\n\t/gopath/src/github.com/gravitational/teleport/lib/srv/regular/proxy.go:381 github.com/gravitational/teleport/lib/srv/regular.(*proxySubsys).proxyToHost\n\t/gopath/src/github.com/gravitational/teleport/lib/srv/regular/proxy.go:236 github.com/gravitational/teleport/lib/srv/regular.(*proxySubsys).Start\n\t/gopath/src/github.com/gravitational/teleport/lib/srv/regular/sshserver.go:1206 github.com/gravitational/teleport/lib/srv/regular.(*Server).handleSubsystem\n\t/gopath/src/github.com/gravitational/teleport/lib/srv/regular/sshserver.go:1083 github.com/gravitational/teleport/lib/srv/regular.(*Server).dispatch\n\t/gopath/src/github.com/gravitational/teleport/lib/srv/regular/sshserver.go:1048 github.com/gravitational/teleport/lib/srv/regular.(*Server).handleSessionRequests\n\t/opt/go/src/runtime/asm_amd64.s:1338 runtime.goexit\nUser Message: \n"

$ tsh ssh root@antaeusLaptop
[09:55:32] root@antaeus ~
> 

Environment:

• Teleport version (use teleport version): Teleport Enterprise v4.1.2git:v4.1.2-0-g7886df10 go1.12.1
• Tsh version (use tsh version): Teleport v4.1.2 git:v4.1.2-0-g7886df10 go1.12.1
• OS (e.g. from /etc/os-release): Fedora 29

[jdconti]

Any updates on this issue? Emulating ssh's native behavior would be ideal for converts.

[omer-Percepto]

Also encountered this issue when trying to use ssh config to log into a node with upper-case letters in name.

tsh config >> ~/.ssh/config
ssh <USER>@<Uppercase-Node-Name>.<CLUSTER-URL>

ERROR: ssh: subsystem request failed

kex_exchange_identification: Connection closed by remote host

Using ssh -vvv you can see that it is trying to connect to the lowered case node-name which cannot be resolved by teleport.

Fix would be much appreciated.

[russjones]

@jdconti I think the idea is good, because we would match insensitive behavior of DNS. Unfortunately because we are already sensitive (and RBAC is sensitive) there is a chance we have customers relying on that behavior already.

I'll leave this ticket open to see if we can think of a way in the future to address this.

[zmb3]

Plan: add a new cluster-wide option to cluster_networking_config that defaults to the current case-sensitive behavior, allowing opt-in to the new case-insensitive hostname resolution.