Merge remote-tracking branch 'origin/master' into alexey/logs

mckellyln · May 9, 2016 · 54f5774 · 54f5774
2 parents 7b44ea6 + b995d60
commit 54f5774
Show file tree

Hide file tree

Showing 7 changed files with 87 additions and 13 deletions.
diff --git a/docs/admin-guide.md b/docs/admin-guide.md
@@ -447,6 +447,81 @@ configuring OpenSSH client to work with Teleport Proxy:
 scp_if_ssh = True
 ```
 
+## Authentication with OpenID Connect / OAuth2
+
+Teleport supports [OpenID Connect](http://openid.net/connect/) (also known as `OIDC`) to 
+provide external authentication using OpenID providers like Google Apps.
+
+### Using OpenID Connect / OAuth2 with Google Apps
+
+First, you must configure OpenID Connect credentials via Google's Developers Center. Please refer 
+to [this guide](https://developers.google.com/identity/protocols/OpenIDConnect) to configure an 
+OIDC integration with applications like Teleport. 
+
+* Create Teleport Project that will identify your installation:
+
+![Create project](img/oidc-create-project.png)
+
+* Set up consent screen:
+
+![Create project](img/oidc-consent.png)
+
+* Create "Web application" client ID:
+
+![Client ID](img/oidc-create-client-id.png)
+
+* Get OAuth 2.0 client credentials:
+
+![Client Creds](img/oidc-copy-creds.png)
+
+* Add OIDC connector to teleport config:
+
+```
+auth_service:
+  enabled: true
+  domain_name: localhost
+  oidc_connectors:    
+    - id: google
+      redirect_url: https://localhost:3080/v1/webapi/oidc/callback
+      client_id: id-from-google.apps.googleusercontent.com
+      client_secret: secret-key-from-google
+      issuer_url: https://accounts.google.com
+```
+
+Now you should be able to create Teleport users whose identity is managed by Google.
+Assuming your company domain is `example.com` and it's hosted on Google Apps, lets
+create a new Teleport user "sasha" with an email address `[email protected]` and allow
+him to login as `root` to Teleport nodes:
+
+```
+tctl users add sasha root,sasha --identity google:[email protected]
+```
+
+### Logging in via OpenID Connect
+
+**Web UI**
+
+Now, if everything is set up correctly, you will see "Login with Google" button on the login screen:
+
+![OIDC Login](img/oidc-login.png)
+
+**CLI**
+
+You have to tell `tsh` to authenticate via Google by providing an `--auth` flag: 
+
+```
+tsh --proxy <proxy-addr> ssh --auth=google <server-addr>
+```
+
+... you should get a browser open a login window for you, where you will have to enter
+your Google credentials. Teleport will keep you logged in for the next 23 hours.
+
+!!! tip "Other Providers?": 
+    We have already received the requests to add support for other OpenID/OAuth2 providers 
+    like Github. Teleport is an open source project and adding proivders is not hard, your 
+    contributions are welcome, just search the code for OIDC! :-)
+
+
 ## High Availability and Clustering
 
 Teleport uses etcd backend to achieve highly available deployments. 
@@ -490,7 +565,7 @@ You can simply remove the file so that the configuration file's values can take
 
 To diagnose problems you can configure `teleport` to run with verbose logging enabled.
 
-!!! warning "IMPORTANT": 
+!!! note "IMPORTANT": 
     It is not recommended to run Teleport in production with verbose logging
     as it generates substantial amount of data.
 

diff --git a/docs/img/oidc-consent.png b/docs/img/oidc-consent.png
diff --git a/docs/img/oidc-copy-creds.png b/docs/img/oidc-copy-creds.png
diff --git a/docs/img/oidc-create-client-id.png b/docs/img/oidc-create-client-id.png
diff --git a/docs/img/oidc-create-project.png b/docs/img/oidc-create-project.png
diff --git a/docs/img/oidc-login.png b/docs/img/oidc-login.png
diff --git a/lib/srv/sess.go b/lib/srv/sess.go
@@ -322,7 +322,6 @@ func newSession(id rsession.ID, r *sessionRegistry, context *ctx) (*session, err
 		login:     context.login,
 		closeC:    make(chan bool),
 		lingerTTL: defaults.SessionLingerTTL,
-		termSizeC: make(chan []byte, 2),
 	}
 	return sess, nil
 }
@@ -356,13 +355,11 @@ func (p *party) termSizePusher(ch ssh.Channel) {
 			log.Error(err)
 		}
 	}()
-	defer close(p.termSizeC)
 
 	for err == nil {
 		select {
 		case newSize := <-p.termSizeC:
 			n, err = ch.Write(newSize)
-			log.Infof("Pushed size: %s, (written=%d, err=%v)", string(newSize), n, err)
 			if err == io.EOF {
 				continue
 			}
@@ -758,15 +755,16 @@ func (m *multiWriter) Write(p []byte) (n int, err error) {
 
 func newParty(s *session, ch ssh.Channel, ctx *ctx) *party {
 	return &party{
-		user:     ctx.teleportUser,
-		serverID: s.registry.srv.ID(),
-		site:     ctx.conn.RemoteAddr().String(),
-		id:       rsession.NewID(),
-		ch:       ch,
-		ctx:      ctx,
-		s:        s,
-		sconn:    ctx.conn,
-		closeC:   make(chan bool),
+		user:      ctx.teleportUser,
+		serverID:  s.registry.srv.ID(),
+		site:      ctx.conn.RemoteAddr().String(),
+		id:        rsession.NewID(),
+		ch:        ch,
+		ctx:       ctx,
+		s:         s,
+		sconn:     ctx.conn,
+		termSizeC: make(chan []byte, 5),
+		closeC:    make(chan bool),
 	}
 }
 
@@ -833,6 +831,7 @@ func (p *party) Close() (err error) {
 			p.ctx.Error(err)
 		}
 		close(p.closeC)
+		close(p.termSizeC)
 	})
 	return err
 }