You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Predicate will not embed linux principals in the login list anymore, because it's not always possible to evaluate beforehand. Not all information is available, at the time the cert is issued. For example node labels could change, and change the list of principals allowed for the node.
This is not a problem for Teleport's SSH nodes. This is a problem for OpenSSH that needs to see the list of principals in the cert.
For OpenSSH compatibility Teleport can terminate SSH (just like it's doing now) and instead of forwarding agent, re-issue a cert for each connection (just like it's doing for K8s).
Push this implementation for end of Q1 in 2023.
The text was updated successfully, but these errors were encountered:
Predicate will not embed linux principals in the login list anymore, because it's not always possible to evaluate beforehand. Not all information is available, at the time the cert is issued. For example node labels could change, and change the list of principals allowed for the node.
This is not a problem for Teleport's SSH nodes. This is a problem for OpenSSH that needs to see the list of principals in the cert.
For OpenSSH compatibility Teleport can terminate SSH (just like it's doing now) and instead of forwarding agent, re-issue a cert for each connection (just like it's doing for K8s).
Push this implementation for end of Q1 in 2023.
The text was updated successfully, but these errors were encountered: