[v9] Make relogin attempts use the strongest auth method (#11781) #11847
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
tsh
codingllama
changed the title
|
The commit doesn't backport cleanly, so there is a second commit with a couple fixes. |
greedy52
approved these changes
Apr 11, 2022
zmb3
approved these changes
Apr 11, 2022
codingllama
force-pushed
the
codingllama/v9-hungry-hungry-tsh
branch
from
f4862e5 to
5946a92
Compare
codingllama
force-pushed
the
codingllama/v9-hungry-hungry-tsh
branch
from
5946a92 to
877791f
Compare
Fixes a potential stdin hijacking bug by making relogin attempts default to a
single MFA method (the strongest available).
The problematic scenario is as follows:
1. User has both OTP and security keys registered
2. "Relogin" is triggered via a tsh command (say,
`tsh logout; tsh ssh --proxy=example.com llama@myserver`)
3. User is prompted to pick either OTP or security key ("Tap any security key or
enter a code from a OTP device")
4. An stdin read is fired in the background to read the OTP code (via
prompt.Stdin)
5. User picks the security method, thus the stdin read is "abandoned"
In most cases this is fine, as the program ends right after. The issue is when a
relogin is triggered by a long living tsh invocation (again, `tsh ssh ...`): in
this case the stdin hijack causes input to be swallowed.
Forcing a single MFA option avoids the potential stdin hijack, fixing the
problem for all relogin invocations. `tsh login` behavior remains the same.
Note that we have to default to cluster's most secure method _without_ checking
the user devices. The user is not logged in yet, thus the backend cannot reveal
any information about that user.
Fixes #11709.
* Add UseStrongestAuth flag to PromptMFAChallenge
* Add TeleportClient.UseStrongestAuth and set it true for relogin
* Proper testing
* Address review comments
codingllama
force-pushed
the
codingllama/v9-hungry-hungry-tsh
branch
from
877791f to
1227bdd
Compare
Closed
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes a potential stdin hijacking bug by making relogin attempts default to a
single MFA method (the strongest available).
The problematic scenario is as follows:
tsh logout; tsh ssh --proxy=example.com llama@myserver)enter a code from a OTP device")
prompt.Stdin)
In most cases this is fine, as the program ends right after. The issue is when a
relogin is triggered by a long living tsh invocation (again,
tsh ssh ...): inthis case the stdin hijack causes input to be swallowed.
Forcing a single MFA option avoids the potential stdin hijack, fixing the
problem for all relogin invocations.
tsh loginbehavior remains the same.Note that we have to default to cluster's most secure method without checking
the user devices. The user is not logged in yet, thus the backend cannot reveal
any information about that user.
Issue #11709.