UseStrongestAuth "relogin" problematic on remote environments #12675
Comments
codingllama
changed the title
|
This is probably a concern in enterprise SSO environments with the browser redirect to Doing either the |
Avoid "input swallowing" bugs by disabling stdin hijacking by default. Only `tsh login` is allowed to hijack stdin, as it is expected to exit right after authentication. Any MFA authentication attempts resulting from non-`tsh login` invocations default to the user's strongest auth method. Defaulting to the strongest auth method can cause problems in constrained environments for users that have both Webauthn and OTP registered. For example, someone using `tsh` under WSL (Windows Subsystem for Linux) or a remote machine could be locked into Webauthn MFA, which they can't use because their environment lacks USB access or they don't have physical access to it. In order to solve this problem I've slightly modified the meaning of the `--mfa-mode` flag so `otp` can be specified. The `TELEPORT_MFA_MODE` environment variable may be set to avoid constant flag passing. Fixes #12675 and #13021. * Expand --mfa-mode and disable stdin hijack by default * Use TELEPORT_ instead of TSH_ for FIDO2 env var * Use t.Setenv in tests
|
From #13021: I've put together a fix that should land in master shortly (I'll port it to v9 after it lands). It's similar to the fix #11709, but this time I've gone ahead and made anything that isn't I'll keep the present issue (#12675) focused on MFA only, as SSO is a different issue altogether. |
Avoid "input swallowing" bugs by disabling stdin hijacking by default. Only `tsh login` is allowed to hijack stdin, as it is expected to exit right after authentication. Any MFA authentication attempts resulting from non-`tsh login` invocations default to the user's strongest auth method. Defaulting to the strongest auth method can cause problems in constrained environments for users that have both Webauthn and OTP registered. For example, someone using `tsh` under WSL (Windows Subsystem for Linux) or a remote machine could be locked into Webauthn MFA, which they can't use because their environment lacks USB access or they don't have physical access to it. In order to solve this problem I've slightly modified the meaning of the `--mfa-mode` flag so `otp` can be specified. The `TELEPORT_MFA_MODE` environment variable may be set to avoid constant flag passing. Fixes #12675 and #13021. * Expand --mfa-mode and disable stdin hijack by default * Use TELEPORT_ instead of TSH_ for FIDO2 env var * Use t.Setenv in tests
Avoid "input swallowing" bugs by disabling stdin hijacking by default. Only `tsh login` is allowed to hijack stdin, as it is expected to exit right after authentication. Any MFA authentication attempts resulting from non-`tsh login` invocations default to the user's strongest auth method. Defaulting to the strongest auth method can cause problems in constrained environments for users that have both Webauthn and OTP registered. For example, someone using `tsh` under WSL (Windows Subsystem for Linux) or a remote machine could be locked into Webauthn MFA, which they can't use because their environment lacks USB access or they don't have physical access to it. In order to solve this problem I've slightly modified the meaning of the `--mfa-mode` flag so `otp` can be specified. The `TELEPORT_MFA_MODE` environment variable may be set to avoid constant flag passing. Fixes #12675 and #13021. * Expand --mfa-mode and disable stdin hijack by default * Use TELEPORT_ instead of TSH_ for FIDO2 env var * Use t.Setenv in tests
Expected behavior: tsh asks for (or allows) OTP MFA.
Current behavior:
Relogin attempts default to the cluster's strongest auth method since #11781 - this is an intentional workaround for stdin-stealing issues (#11709).
The issue arises when relogin is triggered in remote/containerized environments (tsh-on-remote, WSL2) - in those scenarios USB-based MFA is not an option. The current mitigation is to cancel the relogin attempt and explicitly run
tsh login, which does allow for multiple authn methods.See comment #6630 (comment).
Bug details:
The text was updated successfully, but these errors were encountered: