Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation of Webauthn and Per-session MFA does not work for FIPS #11080

Closed
pschisa opened this issue Mar 11, 2022 · 0 comments
Closed

Documentation of Webauthn and Per-session MFA does not work for FIPS #11080

pschisa opened this issue Mar 11, 2022 · 0 comments
Assignees
@zmb3
Labels
c-q7j Internal Customer Reference documentation mfa Issues related to Multi Factor Authentication

Comments

@pschisa
Copy link
Contributor

pschisa commented Mar 11, 2022

Details

Currently, the per-session MFA documentation https://goteleport.com/docs/access-controls/guides/per-session-mfa/ mentions Webauthn as configured here as a Prerequisites https://goteleport.com/docs/access-controls/guides/webauthn/

These instructions do not work for FIPS build users for several reasons. The following setting shown in the Webauthn docs is not available in FIPS (FIPS does not allow local users)

auth_service:
  authentication:
    type: local

And because local cannot be set, the second_factor: on cannot be set as described in the docs producing the following error

Second factor settings will have no affect because local authentication is disabled
. Update file configuration and remove "second_factor" field to get rid of this error message. config/configuration.go:554

A FIPS user must have authentication type be false and set second_factor: optional in order to configure Webauthn and ultimately use per-session MFA with it. The docs should be updated to indicate this is the working path for FIPS users

Category

  • Improve Existing
@pschisa pschisa added documentation c-q7j Internal Customer Reference mfa Issues related to Multi Factor Authentication labels Mar 11, 2022
@zmb3 zmb3 self-assigned this Mar 11, 2022
zmb3 added a commit that referenced this issue Mar 11, 2022
@zmb3
Update docs for FIPS users
f057b75 
In order to configure WebAuthn on FIPS builds, you must set
local_auth to false and second_factor to optional.

Fixes #11080
zmb3 added a commit that referenced this issue Mar 14, 2022
@zmb3
Update docs for FIPS users
1cbab06 
In order to configure WebAuthn on FIPS builds, you must set
local_auth to false and second_factor to optional.

Fixes #11080
@zmb3 zmb3 closed this as completed in 0d9d75e Mar 14, 2022
zmb3 added a commit that referenced this issue Mar 14, 2022
@zmb3
Update docs for FIPS users
7694ab4 
In order to configure WebAuthn on FIPS builds, you must set
local_auth to false and second_factor to optional.

Fixes #11080
@zmb3 zmb3 mentioned this issue Mar 14, 2022
Merged
zmb3 added a commit that referenced this issue Mar 14, 2022
@zmb3
Update docs for FIPS users
0bfc4ec 
In order to configure WebAuthn on FIPS builds, you must set
local_auth to false and second_factor to optional.

Fixes #11080
zmb3 added a commit that referenced this issue Mar 15, 2022
@zmb3
Update docs for FIPS users
d30c233 
In order to configure WebAuthn on FIPS builds, you must set
local_auth to false and second_factor to optional.

Fixes #11080
zmb3 added a commit that referenced this issue Mar 15, 2022
@zmb3
Update docs for FIPS users
7cfacf0 
In order to configure WebAuthn on FIPS builds, you must set
local_auth to false and second_factor to optional.

Fixes #11080
zmb3 added a commit that referenced this issue Mar 16, 2022
@zmb3
Update docs for FIPS users (#11126)
d1fcce8 
In order to configure WebAuthn on FIPS builds, you must set
local_auth to false and second_factor to optional.

Fixes #11080
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zmb3 zmb3

Labels
c-q7j Internal Customer Reference documentation mfa Issues related to Multi Factor Authentication
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zmb3 @pschisa