-
Notifications
You must be signed in to change notification settings - Fork 1.8k
/
constants.go
968 lines (745 loc) · 34 KB
/
constants.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
/*
* Teleport
* Copyright (C) 2023 Gravitational, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package teleport
import (
"strings"
"time"
)
// WebAPIVersion is a current webapi version
const WebAPIVersion = "v1"
const (
// SSHAuthSock is the environment variable pointing to the
// Unix socket the SSH agent is running on.
SSHAuthSock = "SSH_AUTH_SOCK"
// SSHAgentPID is the environment variable pointing to the agent
// process ID
SSHAgentPID = "SSH_AGENT_PID"
// SSHTeleportUser is the current Teleport user that is logged in.
SSHTeleportUser = "SSH_TELEPORT_USER"
// SSHSessionWebProxyAddr is the address the web proxy.
SSHSessionWebProxyAddr = "SSH_SESSION_WEBPROXY_ADDR"
// SSHTeleportClusterName is the name of the cluster this node belongs to.
SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME"
// SSHTeleportHostUUID is the UUID of the host.
SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID"
// SSHSessionID is the UUID of the current session.
SSHSessionID = "SSH_SESSION_ID"
)
const (
// HTTPNextProtoTLS is the NPN/ALPN protocol negotiated during
// HTTP/1.1.'s TLS setup.
// https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
HTTPNextProtoTLS = "http/1.1"
)
const (
// TOTPValidityPeriod is the number of seconds a TOTP token is valid.
TOTPValidityPeriod uint = 30
// TOTPSkew adds that many periods before and after to the validity window.
TOTPSkew uint = 1
)
const (
// ComponentKey is a field that represents a component - e.g. service or
// function
ComponentKey = "trace.component"
// ComponentFields is a fields component
ComponentFields = "trace.fields"
// ComponentMemory is a memory backend
ComponentMemory = "memory"
// ComponentAuthority is a TLS and an SSH certificate authority
ComponentAuthority = "ca"
// ComponentProcess is a main control process
ComponentProcess = "proc"
// ComponentServer is a server subcomponent of some services
ComponentServer = "server"
// ComponentACME is ACME protocol controller
ComponentACME = "acme"
// ComponentReverseTunnelServer is reverse tunnel server
// that together with agent establish a bi-directional SSH revers tunnel
// to bypass firewall restrictions
ComponentReverseTunnelServer = "proxy:server"
// ComponentReverseTunnelAgent is reverse tunnel agent
// that together with server establish a bi-directional SSH revers tunnel
// to bypass firewall restrictions
ComponentReverseTunnelAgent = "proxy:agent"
// ComponentLabel is a component label name used in reporting
ComponentLabel = "component"
// ComponentProxyKube is a kubernetes proxy
ComponentProxyKube = "proxy:kube"
// ComponentAuth is the cluster CA node (auth server API)
ComponentAuth = "auth"
// ComponentGRPC is gRPC server
ComponentGRPC = "grpc"
// ComponentMigrate is responsible for data migrations
ComponentMigrate = "migrate"
// ComponentNode is SSH node (SSH server serving requests)
ComponentNode = "node"
// ComponentForwardingNode is SSH node (SSH server serving requests)
ComponentForwardingNode = "node:forward"
// ComponentProxy is SSH proxy (SSH server forwarding connections)
ComponentProxy = "proxy"
// ComponentProxyPeer is the proxy peering component of the proxy service
ComponentProxyPeer = "proxy:peer"
// ComponentApp is the application proxy service.
ComponentApp = "app:service"
// ComponentDatabase is the database proxy service.
ComponentDatabase = "db:service"
// ComponentDiscovery is the Discovery service.
ComponentDiscovery = "discovery:service"
// ComponentAppProxy is the application handler within the web proxy service.
ComponentAppProxy = "app:web"
// ComponentWebProxy is the web handler within the web proxy service.
ComponentWebProxy = "web"
// ComponentDiagnostic is a diagnostic service
ComponentDiagnostic = "diag"
// ComponentDebug is the debug service, which exposes debugging
// configuration over a Unix socket.
ComponentDebug = "debug"
// ComponentClient is a client
ComponentClient = "client"
// ComponentTunClient is a tunnel client
ComponentTunClient = "client:tunnel"
// ComponentCache is a cache component
ComponentCache = "cache"
// ComponentBackend is a backend component
ComponentBackend = "backend"
// ComponentSubsystemProxy is the proxy subsystem.
ComponentSubsystemProxy = "subsystem:proxy"
// ComponentSubsystemSFTP is the SFTP subsystem.
ComponentSubsystemSFTP = "subsystem:sftp"
// ComponentLocalTerm is a terminal on a regular SSH node.
ComponentLocalTerm = "term:local"
// ComponentRemoteTerm is a terminal on a forwarding SSH node.
ComponentRemoteTerm = "term:remote"
// ComponentRemoteSubsystem is subsystem on a forwarding SSH node.
ComponentRemoteSubsystem = "subsystem:remote"
// ComponentAuditLog is audit log component
ComponentAuditLog = "audit"
// ComponentKeyAgent is an agent that has loaded the sessions keys and
// certificates for a user connected to a proxy.
ComponentKeyAgent = "keyagent"
// ComponentKeyStore is all sessions keys and certificates a user has on disk
// for all proxies.
ComponentKeyStore = "keystore"
// ComponentConnectProxy is the HTTP CONNECT proxy used to tunnel connection.
ComponentConnectProxy = "http:proxy"
// ComponentSOCKS is a SOCKS5 proxy.
ComponentSOCKS = "socks"
// ComponentKeyGen is the public/private keypair generator.
ComponentKeyGen = "keygen"
// ComponentFirestore represents firestore clients
ComponentFirestore = "firestore"
// ComponentSession is an active session.
ComponentSession = "session"
// ComponentHostUsers represents host user management.
ComponentHostUsers = "hostusers"
// ComponentDynamoDB represents dynamodb clients
ComponentDynamoDB = "dynamodb"
// Component pluggable authentication module (PAM)
ComponentPAM = "pam"
// ComponentUpload is a session recording upload server
ComponentUpload = "upload"
// ComponentWeb is a web server
ComponentWeb = "web"
// ComponentUnifiedResource is a cache of resources meant to be listed and displayed
// together in the web UI
ComponentUnifiedResource = "unified_resource"
// ComponentWebsocket is websocket server that the web client connects to.
ComponentWebsocket = "websocket"
// ComponentRBAC is role-based access control.
ComponentRBAC = "rbac"
// ComponentKeepAlive is keep-alive messages sent from clients to servers
// and vice versa.
ComponentKeepAlive = "keepalive"
// ComponentTeleport is the "teleport" binary.
ComponentTeleport = "teleport"
// ComponentTSH is the "tsh" binary.
ComponentTSH = "tsh"
// ComponentTCTL is the "tctl" binary.
ComponentTCTL = "tctl"
// ComponentTBot is the "tbot" binary
ComponentTBot = "tbot"
// ComponentKubeClient is the Kubernetes client.
ComponentKubeClient = "client:kube"
// ComponentBuffer is in-memory event circular buffer
// used to broadcast events to subscribers.
ComponentBuffer = "buffer"
// ComponentBPF is the eBPF packagae.
ComponentBPF = "bpf"
// ComponentCgroup is the cgroup package.
ComponentCgroup = "cgroups"
// ComponentKube is an Kubernetes API gateway.
ComponentKube = "kubernetes"
// ComponentSAML is a SAML service provider.
ComponentSAML = "saml"
// ComponentMetrics is a metrics server
ComponentMetrics = "metrics"
// ComponentWindowsDesktop is a Windows desktop access server.
ComponentWindowsDesktop = "windows_desktop"
// ComponentTracing is a tracing exporter
ComponentTracing = "tracing"
// ComponentInstance is an abstract component common to all services.
ComponentInstance = "instance"
// ComponentVersionControl is the component common to all version control operations.
ComponentVersionControl = "version-control"
// ComponentUsageReporting is the component responsible for reporting usage metrics.
ComponentUsageReporting = "usage-reporting"
// ComponentAthena represents athena clients.
ComponentAthena = "athena"
// ComponentProxySecureGRPC represents a secure gRPC server running on Proxy (used for Kube).
ComponentProxySecureGRPC = "proxy:secure-grpc"
// ComponentUpdater represents the teleport-update binary.
ComponentUpdater = "updater"
// VerboseLogsEnvVar forces all logs to be verbose (down to DEBUG level)
VerboseLogsEnvVar = "TELEPORT_DEBUG"
// IterationsEnvVar sets tests iterations to run
IterationsEnvVar = "ITERATIONS"
// DefaultTerminalWidth defines the default width of a server-side allocated
// pseudo TTY
DefaultTerminalWidth = 80
// DefaultTerminalHeight defines the default height of a server-side allocated
// pseudo TTY
DefaultTerminalHeight = 25
// SafeTerminalType is the fall-back TTY type to fall back to (when $TERM
// is not defined)
SafeTerminalType = "xterm"
// DataDirParameterName is the name of the data dir configuration parameter passed
// to all backends during initialization
DataDirParameterName = "data_dir"
// KeepAliveReqType is a SSH request type to keep the connection alive. A client and
// a server keep pinging each other with it.
KeepAliveReqType = "[email protected]"
// ClusterDetailsReqType is the name of a global request which returns cluster details like
// if the proxy is recording sessions or not and if FIPS is enabled.
ClusterDetailsReqType = "[email protected]"
// JSON means JSON serialization format
JSON = "json"
// YAML means YAML serialization format
YAML = "yaml"
// Text means text serialization format
Text = "text"
// PTY is a raw PTY session capture format
PTY = "pty"
// Names is for formatting node names in plain text
Names = "names"
// LinuxAdminGID is the ID of the standard adm group on linux
LinuxAdminGID = 4
// DirMaskSharedGroup is the mask for a directory accessible
// by the owner and group
DirMaskSharedGroup = 0o770
// FileMaskOwnerOnly is the file mask that allows read write access
// to owers only
FileMaskOwnerOnly = 0o600
// On means mode is on
On = "on"
// Off means mode is off
Off = "off"
// GCSTestURI turns on GCS tests
GCSTestURI = "TEST_GCS_URI"
// AZBlobTestURI specifies the storage account URL to use for Azure Blob
// Storage tests.
AZBlobTestURI = "TEST_AZBLOB_URI"
// AWSRunTests turns on tests executed against AWS directly
AWSRunTests = "TEST_AWS"
// AWSRunDBTests turns on tests executed against AWS databases directly.
AWSRunDBTests = "TEST_AWS_DB"
// Region is AWS region parameter
Region = "region"
// Endpoint is an optional Host for non-AWS S3
Endpoint = "endpoint"
// Insecure is an optional switch to use HTTP instead of HTTPS
Insecure = "insecure"
// DisableServerSideEncryption is an optional switch to opt out of SSE in case the provider does not support it
DisableServerSideEncryption = "disablesse"
// ACL is the canned ACL to send to S3
ACL = "acl"
// SSEKMSKey is an optional switch to use an KMS CMK key for S3 SSE.
SSEKMSKey = "sse_kms_key"
// SchemeFile configures local disk-based file storage for audit events
SchemeFile = "file"
// SchemeStdout outputs audit log entries to stdout
SchemeStdout = "stdout"
// SchemeS3 is used for S3-like object storage
SchemeS3 = "s3"
// SchemeGCS is used for Google Cloud Storage
SchemeGCS = "gs"
// SchemeAZBlob is the Azure Blob Storage scheme, used as the scheme in the
// session storage URI to identify a storage account accessed over https.
SchemeAZBlob = "azblob"
// SchemeAZBlobHTTP is the Azure Blob Storage scheme, used as the scheme in the
// session storage URI to identify a storage account accessed over http.
SchemeAZBlobHTTP = "azblob-http"
// LogsDir is a log subdirectory for events and logs
LogsDir = "log"
// Syslog is a mode for syslog logging
Syslog = "syslog"
// DebugLevel is a debug logging level name
DebugLevel = "debug"
// MinimumEtcdVersion is the minimum version of etcd supported by Teleport
MinimumEtcdVersion = "3.3.0"
// EnvVarAllowNoSecondFactor is used to allow disabling second factor auth
// todo(tross): DELETE WHEN ABLE TO
EnvVarAllowNoSecondFactor = "TELEPORT_ALLOW_NO_SECOND_FACTOR"
)
const (
// These values are from https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
// OIDCPromptSelectAccount instructs the Authorization Server to
// prompt the End-User to select a user account.
OIDCPromptSelectAccount = "select_account"
// OIDCAccessTypeOnline indicates that OIDC flow should be performed
// with Authorization server and user connected online
OIDCAccessTypeOnline = "online"
)
// Component generates "component:subcomponent1:subcomponent2" strings used
// in debugging
func Component(components ...string) string {
return strings.Join(components, ":")
}
const (
// AuthorizedKeys are public keys that check against User CAs.
AuthorizedKeys = "authorized_keys"
// KnownHosts are public keys that check against Host CAs.
KnownHosts = "known_hosts"
)
const (
// CertExtensionPermitX11Forwarding allows X11 forwarding for certificate
CertExtensionPermitX11Forwarding = "permit-X11-forwarding"
// CertExtensionPermitAgentForwarding allows agent forwarding for certificate
CertExtensionPermitAgentForwarding = "permit-agent-forwarding"
// CertExtensionPermitPTY allows user to request PTY
CertExtensionPermitPTY = "permit-pty"
// CertExtensionPermitPortForwarding allows user to request port forwarding
CertExtensionPermitPortForwarding = "permit-port-forwarding"
// CertExtensionTeleportRoles is used to propagate teleport roles
CertExtensionTeleportRoles = "teleport-roles"
// CertExtensionTeleportRouteToCluster is used to encode
// the target cluster to route to in the certificate
CertExtensionTeleportRouteToCluster = "teleport-route-to-cluster"
// CertExtensionTeleportTraits is used to propagate traits about the user.
CertExtensionTeleportTraits = "teleport-traits"
// CertExtensionTeleportActiveRequests is used to track which privilege
// escalation requests were used to construct the certificate.
CertExtensionTeleportActiveRequests = "teleport-active-requests"
// CertExtensionMFAVerified is used to mark certificates issued after an MFA
// check.
CertExtensionMFAVerified = "mfa-verified"
// CertExtensionPreviousIdentityExpires is the extension that stores an RFC3339
// timestamp representing the expiry time of the identity/cert that this
// identity/cert was derived from. It is used to determine a session's hard
// deadline in cases where both require_session_mfa and disconnect_expired_cert
// are enabled. See https://github.com/gravitational/teleport/issues/18544.
CertExtensionPreviousIdentityExpires = "prev-identity-expires"
// CertExtensionLoginIP is used to embed the IP of the client that created
// the certificate.
CertExtensionLoginIP = "login-ip"
// CertExtensionImpersonator is set when one user has requested certificates
// for another user
CertExtensionImpersonator = "impersonator"
// CertExtensionDisallowReissue is set when a certificate should not be allowed
// to request future certificates.
CertExtensionDisallowReissue = "disallow-reissue"
// CertExtensionRenewable is a flag to indicate the certificate may be
// renewed.
CertExtensionRenewable = "renewable"
// CertExtensionGeneration counts the number of times a certificate has
// been renewed.
CertExtensionGeneration = "generation"
// CertExtensionAllowedResources lists the resources which this certificate
// should be allowed to access
CertExtensionAllowedResources = "teleport-allowed-resources"
// CertExtensionConnectionDiagnosticID contains the ID of the ConnectionDiagnostic.
// The Node/Agent will append connection traces to this diagnostic instance.
CertExtensionConnectionDiagnosticID = "teleport-connection-diagnostic-id"
// CertExtensionPrivateKeyPolicy is used to mark certificates with their supported
// private key policy.
CertExtensionPrivateKeyPolicy = "private-key-policy"
// CertExtensionDeviceID is the trusted device identifier.
CertExtensionDeviceID = "teleport-device-id"
// CertExtensionDeviceAssetTag is the device inventory identifier.
CertExtensionDeviceAssetTag = "teleport-device-asset-tag"
// CertExtensionDeviceCredentialID is the identifier for the credential used
// by the device to authenticate itself.
CertExtensionDeviceCredentialID = "teleport-device-credential-id"
// CertExtensionBotName indicates the name of the Machine ID bot this
// certificate was issued to, if any.
CertExtensionBotName = "[email protected]"
// CertExtensionBotInstanceID indicates the unique identifier of this
// Machine ID bot instance, if any. This identifier is persisted through
// certificate renewals.
CertExtensionBotInstanceID = "[email protected]"
// CertCriticalOptionSourceAddress is a critical option that defines IP addresses (in CIDR notation)
// from which this certificate is accepted for authentication.
// See: https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD.
CertCriticalOptionSourceAddress = "source-address"
// CertExtensionGitHubUserID indicates the GitHub user ID identified by the
// GitHub connector.
CertExtensionGitHubUserID = "[email protected]"
// CertExtensionGitHubUsername indicates the GitHub username identified by
// the GitHub connector.
CertExtensionGitHubUsername = "[email protected]"
)
// Note: when adding new providers to this list, consider updating the help message for --provider flag
// for `tctl sso configure oidc` and `tctl sso configure saml` commands
// as well as docs at https://goteleport.com/docs/enterprise/sso/#provider-specific-workarounds
const (
// NetIQ is an identity provider.
NetIQ = "netiq"
// ADFS is Microsoft Active Directory Federation Services
ADFS = "adfs"
// Ping is the common backend for all Ping Identity-branded identity
// providers (including PingOne, PingFederate, etc).
Ping = "ping"
// Okta should be used for Okta OIDC providers.
Okta = "okta"
// JumpCloud is an identity provider.
JumpCloud = "jumpcloud"
)
const (
// RemoteCommandSuccess is returned when a command has successfully executed.
RemoteCommandSuccess = 0
// RemoteCommandFailure is returned when a command has failed to execute and
// we don't have another status code for it.
RemoteCommandFailure = 255
// HomeDirNotFound is returned when a the "teleport checkhomedir" command cannot
// find the user's home directory.
HomeDirNotFound = 254
// HomeDirNotAccessible is returned when a the "teleport checkhomedir" command has
// found the user's home directory, but the user does NOT have permissions to
// access it.
HomeDirNotAccessible = 253
)
// MaxEnvironmentFileLines is the maximum number of lines in a environment file.
const MaxEnvironmentFileLines = 1000
// MaxResourceSize is the maximum size (in bytes) of a serialized resource. This limit is
// typically only enforced against resources that are likely to arbitrarily grow (e.g. PluginData).
const MaxResourceSize = 1000000
// MaxHTTPRequestSize is the maximum accepted size (in bytes) of the body of
// a received HTTP request. This limit is meant to be used with utils.ReadAtMost
// to prevent resource exhaustion attacks.
const MaxHTTPRequestSize = 10 * 1024 * 1024
// MaxHTTPResponseSize is the maximum accepted size (in bytes) of the body of
// a received HTTP response. This limit is meant to be used with utils.ReadAtMost
// to prevent resource exhaustion attacks.
const MaxHTTPResponseSize = 10 * 1024 * 1024
const (
// CertificateFormatOldSSH is used to make Teleport interoperate with older
// versions of OpenSSH.
CertificateFormatOldSSH = "oldssh"
// CertificateFormatUnspecified is used to check if the format was specified
// or not.
CertificateFormatUnspecified = ""
)
const (
// TraitInternalPrefix is the role variable prefix that indicates it's for
// local accounts.
TraitInternalPrefix = "internal"
// TraitExternalPrefix is the role variable prefix that indicates the data comes from an external identity provider.
TraitExternalPrefix = "external"
// TraitTeams is the name of the role variable use to store team
// membership information
TraitTeams = "github_teams"
// TraitInternalLoginsVariable is the variable used to store allowed
// logins for local accounts.
TraitInternalLoginsVariable = "{{internal.logins}}"
// TraitInternalWindowsLoginsVariable is the variable used to store
// allowed Windows Desktop logins for local accounts.
TraitInternalWindowsLoginsVariable = "{{internal.windows_logins}}"
// TraitInternalKubeGroupsVariable is the variable used to store allowed
// kubernetes groups for local accounts.
TraitInternalKubeGroupsVariable = "{{internal.kubernetes_groups}}"
// TraitInternalKubeUsersVariable is the variable used to store allowed
// kubernetes users for local accounts.
TraitInternalKubeUsersVariable = "{{internal.kubernetes_users}}"
// TraitInternalDBNamesVariable is the variable used to store allowed
// database names for local accounts.
TraitInternalDBNamesVariable = "{{internal.db_names}}"
// TraitInternalDBUsersVariable is the variable used to store allowed
// database users for local accounts.
TraitInternalDBUsersVariable = "{{internal.db_users}}"
// TraitInternalDBRolesVariable is the variable used to store allowed
// database roles for automatic database user provisioning.
TraitInternalDBRolesVariable = "{{internal.db_roles}}"
// TraitInternalAWSRoleARNs is the variable used to store allowed AWS
// role ARNs for local accounts.
TraitInternalAWSRoleARNs = "{{internal.aws_role_arns}}"
// TraitInternalAzureIdentities is the variable used to store allowed
// Azure identities for local accounts.
TraitInternalAzureIdentities = "{{internal.azure_identities}}"
// TraitInternalGCPServiceAccounts is the variable used to store allowed
// GCP service accounts for local accounts.
TraitInternalGCPServiceAccounts = "{{internal.gcp_service_accounts}}"
// TraitInternalJWTVariable is the variable used to store JWT token for
// app sessions.
TraitInternalJWTVariable = "{{internal.jwt}}"
)
// SCP is Secure Copy.
const SCP = "scp"
// AdminRoleName is the name of the default admin role for all local users if
// another role is not explicitly assigned
const AdminRoleName = "admin"
const (
// PresetEditorRoleName is a name of a preset role that allows
// editing cluster configuration.
PresetEditorRoleName = "editor"
// PresetAccessRoleName is a name of a preset role that allows
// accessing cluster resources.
PresetAccessRoleName = "access"
// PresetAuditorRoleName is a name of a preset role that allows
// reading cluster events and playing back session records.
PresetAuditorRoleName = "auditor"
// PresetReviewerRoleName is a name of a preset role that allows
// for reviewing access requests.
PresetReviewerRoleName = "reviewer"
// PresetRequesterRoleName is a name of a preset role that allows
// for requesting access to resources.
PresetRequesterRoleName = "requester"
// PresetGroupAccessRoleName is a name of a preset role that allows
// access to all user groups.
PresetGroupAccessRoleName = "group-access"
// PresetDeviceAdminRoleName is the name of the "device-admin" role.
// The role is used to administer trusted devices.
PresetDeviceAdminRoleName = "device-admin"
// PresetDeviceEnrollRoleName is the name of the "device-enroll" role.
// The role is used to grant device enrollment powers to users.
PresetDeviceEnrollRoleName = "device-enroll"
// PresetRequireTrustedDeviceRoleName is the name of the
// "require-trusted-device" role.
// The role is used as a basis for requiring trusted device access to
// resources.
PresetRequireTrustedDeviceRoleName = "require-trusted-device"
// PresetTerraformProviderRoleName is a name of a default role that allows the Terraform provider
// to configure all its supported Teleport resources.
PresetTerraformProviderRoleName = "terraform-provider"
// SystemAutomaticAccessApprovalRoleName names a preset role that may
// automatically approve any Role Access Request
SystemAutomaticAccessApprovalRoleName = "@teleport-access-approver"
// ConnectMyComputerRoleNamePrefix is the prefix used for roles prepared for individual users
// during the setup of Connect My Computer. The prefix is followed by the name of the cluster
// user. See teleterm.connectmycomputer.RoleSetup.
ConnectMyComputerRoleNamePrefix = "connect-my-computer-"
// SystemOktaRequesterRoleName is a name of a system role that allows
// for requesting access to Okta resources. This differs from the requester role
// in that it allows for requesting longer lived access.
SystemOktaRequesterRoleName = "okta-requester"
// SystemOktaAccessRoleName is the name of the system role that allows
// access to Okta resources. This will be used by the Okta requester role to
// search for Okta resources.
SystemOktaAccessRoleName = "okta-access"
// SystemIdentityCenterAccessRoleName specifies the name of a system role
// that grants a user access to AWS Identity Center resources via
// Access Requests.
SystemIdentityCenterAccessRoleName = "aws-ic-access"
)
var PresetRoles = []string{PresetEditorRoleName, PresetAccessRoleName, PresetAuditorRoleName}
const (
// SystemAccessApproverUserName names a Teleport user that acts as
// an Access Request approver for access plugins
SystemAccessApproverUserName = "@teleport-access-approval-bot"
)
const (
// RemoteClusterStatusOffline indicates that cluster is considered as
// offline, since it has missed a series of heartbeats
RemoteClusterStatusOffline = "offline"
// RemoteClusterStatusOnline indicates that cluster is sending heartbeats
// at expected interval
RemoteClusterStatusOnline = "online"
)
const (
// SharedDirMode is a mode for a directory shared with group
SharedDirMode = 0o750
// PrivateDirMode is a mode for private directories
PrivateDirMode = 0o700
)
const (
// SessionEvent is sent by servers to clients when an audit event occurs on
// the session.
SessionEvent = "x-teleport-event"
// VersionRequest is sent by clients to server requesting the Teleport
// version they are running.
VersionRequest = "x-teleport-version"
// CurrentSessionIDRequest is sent by servers to inform clients of
// the session ID that is being used.
CurrentSessionIDRequest = "[email protected]"
// SessionIDQueryRequest is sent by clients to ask servers if they
// will generate their own session ID when a new session is created.
SessionIDQueryRequest = "[email protected]"
// ForceTerminateRequest is an SSH request to forcefully terminate a session.
ForceTerminateRequest = "x-teleport-force-terminate"
// TerminalSizeRequest is a request for the terminal size of the session.
TerminalSizeRequest = "x-teleport-terminal-size"
// TCPIPForwardRequest is an SSH request for the server to open a listener
// for port forwarding.
TCPIPForwardRequest = "tcpip-forward"
// CancelTCPIPForwardRequest is an SSHRequest to cancel a previous
// TCPIPForwardRequest.
CancelTCPIPForwardRequest = "cancel-tcpip-forward"
// MFAPresenceRequest is an SSH request to notify clients that MFA presence is required for a session.
MFAPresenceRequest = "x-teleport-mfa-presence"
// EnvSSHJoinMode is the SSH environment variable that contains the requested participant mode.
EnvSSHJoinMode = "TELEPORT_SSH_JOIN_MODE"
// EnvSSHSessionReason is a reason attached to started sessions meant to describe their intent.
EnvSSHSessionReason = "TELEPORT_SESSION_REASON"
// EnvSSHSessionInvited is an environment variable listing people invited to a session.
EnvSSHSessionInvited = "TELEPORT_SESSION_INVITED_USERS"
// EnvSSHSessionDisplayParticipantRequirements is set to true or false to indicate if participant
// requirement information should be printed.
EnvSSHSessionDisplayParticipantRequirements = "TELEPORT_SESSION_PARTICIPANT_REQUIREMENTS"
// SSHSessionJoinPrincipal is the SSH principal used when joining sessions.
// This starts with a hyphen so it isn't a valid unix login.
SSHSessionJoinPrincipal = "-teleport-internal-join"
)
const (
// EnvKubeConfig is environment variable for kubeconfig
EnvKubeConfig = "KUBECONFIG"
// KubeConfigDir is a default directory where k8s stores its user local config
KubeConfigDir = ".kube"
// KubeConfigFile is a default filename where k8s stores its user local config
KubeConfigFile = "config"
// KubeRunTests turns on kubernetes tests
KubeRunTests = "TEST_KUBE"
// KubeSystemAuthenticated is a builtin group that allows
// any user to access common API methods, e.g. discovery methods
// required for initial client usage
KubeSystemAuthenticated = "system:authenticated"
// UsageKubeOnly specifies certificate usage metadata
// that limits certificate to be only used for kubernetes proxying
UsageKubeOnly = "usage:kube"
// UsageAppOnly specifies a certificate metadata that only allows it to be
// used for proxying applications.
UsageAppsOnly = "usage:apps"
// UsageDatabaseOnly specifies certificate usage metadata that only allows
// it to be used for proxying database connections.
UsageDatabaseOnly = "usage:db"
// UsageWindowsDesktopOnly specifies certificate usage metadata that limits
// certificate to be only used for Windows desktop access
UsageWindowsDesktopOnly = "usage:windows_desktop"
)
const (
// NodeIsAmbiguous serves as an identifying error string indicating that
// the proxy subsystem found multiple nodes matching the specified hostname.
NodeIsAmbiguous = "err-node-is-ambiguous"
// MaxLeases serves as an identifying error string indicating that the
// semaphore system is rejecting an acquisition attempt due to max
// leases having already been reached.
MaxLeases = "err-max-leases"
)
const (
// OpenBrowserLinux is the command used to open a web browser on Linux.
OpenBrowserLinux = "xdg-open"
// OpenBrowserDarwin is the command used to open a web browser on macOS/Darwin.
OpenBrowserDarwin = "open"
// OpenBrowserWindows is the command used to open a web browser on Windows.
OpenBrowserWindows = "rundll32.exe"
// BrowserNone is the string used to suppress the opening of a browser in
// response to 'tsh login' commands.
BrowserNone = "none"
)
const (
// ExecSubCommand is the sub-command Teleport uses to re-exec itself for
// command execution (exec and shells).
ExecSubCommand = "exec"
// NetworkingSubCommand is the sub-command Teleport uses to re-exec itself
// for networking operations. e.g. local/remote port forwarding, agent forwarding,
// or x11 forwarding.
NetworkingSubCommand = "networking"
// CheckHomeDirSubCommand is the sub-command Teleport uses to re-exec itself
// to check if the user's home directory exists.
CheckHomeDirSubCommand = "checkhomedir"
// ParkSubCommand is the sub-command Teleport uses to re-exec itself as a
// specific UID to prevent the matching user from being deleted before
// spawning the intended child process.
ParkSubCommand = "park"
// SFTPSubCommand is the sub-command Teleport uses to re-exec itself to
// handle SFTP connections.
SFTPSubCommand = "sftp"
// WaitSubCommand is the sub-command Teleport uses to wait
// until a domain name stops resolving. Its main use is to ensure no
// auth instances are still running the previous major version.
WaitSubCommand = "wait"
// VnetAdminSetupSubCommand is the sub-command tsh vnet uses to perform
// a setup as a privileged user.
VnetAdminSetupSubCommand = "vnet-admin-setup"
)
const (
// ChanDirectTCPIP is an SSH channel of type "direct-tcpip".
ChanDirectTCPIP = "direct-tcpip"
// ChanForwardedTCPIP is an SSH channel of type "forwarded-tcpip".
ChanForwardedTCPIP = "forwarded-tcpip"
// ChanSession is an SSH channel of type "session".
ChanSession = "session"
)
const (
// GetHomeDirSubsystem is an SSH subsystem request that Teleport
// uses to get the home directory of a remote user.
GetHomeDirSubsystem = "gethomedir"
// SFTPSubsystem is the SFTP SSH subsystem.
SFTPSubsystem = "sftp"
)
// A principal name for use in SSH certificates.
type Principal string
const (
// The localhost domain, for talking to a proxy or node on the same
// machine.
PrincipalLocalhost Principal = "localhost"
// The IPv4 loopback address, for talking to a proxy or node on the same
// machine.
PrincipalLoopbackV4 Principal = "127.0.0.1"
// The IPv6 loopback address, for talking to a proxy or node on the same
// machine.
PrincipalLoopbackV6 Principal = "::1"
)
// UserSystem defines a user as system.
const UserSystem = "system"
const (
// internal application being proxied.
AppJWTHeader = "teleport-jwt-assertion"
// HostHeader is the name of the Host header.
HostHeader = "Host"
)
// UserSingleUseCertTTL is a TTL for per-connection user certificates.
const UserSingleUseCertTTL = time.Minute
// StandardHTTPSPort is the default port used for the https URI scheme,
// cf. RFC 7230 § 2.7.2.
const StandardHTTPSPort = 443
const (
// KubeSessionDisplayParticipantRequirementsQueryParam is the query parameter used to
// indicate that the client wants to display the participant requirements
// for the given session.
KubeSessionDisplayParticipantRequirementsQueryParam = "displayParticipantRequirements"
// KubeSessionReasonQueryParam is the query parameter used to indicate the reason
// for the session request.
KubeSessionReasonQueryParam = "reason"
// KubeSessionInvitedQueryParam is the query parameter used to indicate the users
// to invite to the session.
KubeSessionInvitedQueryParam = "invite"
)
const (
// KubeLegacyProxySuffix is the suffix used for legacy proxy services when
// generating their names Server names.
KubeLegacyProxySuffix = "-proxy_service"
)
const (
// DebugServiceSocketName represents the Unix domain socket name of the
// debug service.
DebugServiceSocketName = "debug.sock"
)
const (
// OktaAccessRoleContext is the context used to name Okta Access role created by Okta access list sync
OktaAccessRoleContext = "access-okta-acl-role"
// OktaReviewerRoleContext is the context used to name Okta Reviewer role created by Okta Access List sync
OktaReviewerRoleContext = "reviewer-okta-acl-role"
)