Skip to content

fix: include <hostname>.<clustername> principal in SSH host certificates #60246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 15, 2025
Merged

fix: include <hostname>.<clustername> principal in SSH host certificates #60246

merged 2 commits into from
Oct 15, 2025

Conversation

nklaassen
Copy link
Contributor

Fixes #60245

This PR fixes a bug where SSH host certificates are currently missing the <hostname>.<clustername> principal, which breaks SSH access via OpenSSH and other third-party SSH clients.

This PR makes sure the nodename is correctly sent in process.firstTimeConnectIdentityRemote. Where it currently passes instanceIdentity.ID.NodeName it is always the empty string, identity IDs have no NodeName set when they are read from storage, the fix is to use process.Config.Hostname instead. lib/service.(*TeleportProcess).reRegister already does the same thing (passes process.Config.Hostname instead of the existing identity.ID.NodeName).

I also updated the logic in lib/service.(*TeleportProcess).rotate so that existing host certificates on nodes running affected versions will be automatically repaired when the node is upgraded to a version with the fix.

Changelog: fixes a bug where SSH host certificates are missing the <hostname>.<clustername> principal, breaking SSH access via third-party clients

@github-actions github-actions bot requested review from strideynet and tcsc October 15, 2025 00:33
strideynet
strideynet approved these changes Oct 15, 2025
View reviewed changes
lib/service/service_test.go
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for extending the tests to cover this 🚀

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from tcsc October 15, 2025 08:56
@nklaassen nklaassen added this pull request to the merge queue Oct 15, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Oct 15, 2025
@nklaassen nklaassen added this pull request to the merge queue Oct 15, 2025
Merged via the queue into master with commit 7ffa26d Oct 15, 2025
43 checks passed
@nklaassen nklaassen deleted the nklaassen/fix-hostname-principal branch October 15, 2025 16:50
@backport-bot-workflows
Copy link
Contributor

@nklaassen See the table below for backport results.

Branch Result
branch/v18 Create PR

@nklaassen nklaassen mentioned this pull request Oct 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tigrato tigrato tigrato approved these changes

@strideynet strideynet strideynet approved these changes

Assignees

No one assigned

Labels

backport/branch/v18 size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSH host certificates missing <hostname>.<clustername> principal

3 participants

@nklaassen @tigrato @strideynet