Expand --mfa-mode and disable stdin hijack by default #13134
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
tsh
zmb3
approved these changes
Jun 2, 2022
Tener
approved these changes
Jun 3, 2022
There was a problem hiding this comment.
Looks good overall.
Would it make sense to make it possible to put the preferred modes into tsh config file?
teleport/tool/tsh/tshconfig.go
Lines 39 to 44 in 6f51c36
codingllama
force-pushed
the
codingllama/sessionmfa-input
branch
from
6f51c36 to
908856d
Compare
|
Thanks for the reviews, everyone. |
codingllama
force-pushed
the
codingllama/sessionmfa-input
branch
10 times, most recently
from
10853fa to
6ed3d66
Compare
codingllama
force-pushed
the
codingllama/sessionmfa-input
branch
from
6ed3d66 to
0ad28aa
Compare
codingllama
added a commit
that referenced
this pull request
Jun 6, 2022
Avoid "input swallowing" bugs by disabling stdin hijacking by default. Only `tsh login` is allowed to hijack stdin, as it is expected to exit right after authentication. Any MFA authentication attempts resulting from non-`tsh login` invocations default to the user's strongest auth method. Defaulting to the strongest auth method can cause problems in constrained environments for users that have both Webauthn and OTP registered. For example, someone using `tsh` under WSL (Windows Subsystem for Linux) or a remote machine could be locked into Webauthn MFA, which they can't use because their environment lacks USB access or they don't have physical access to it. In order to solve this problem I've slightly modified the meaning of the `--mfa-mode` flag so `otp` can be specified. The `TELEPORT_MFA_MODE` environment variable may be set to avoid constant flag passing. Fixes #12675 and #13021. * Expand --mfa-mode and disable stdin hijack by default * Use TELEPORT_ instead of TSH_ for FIDO2 env var * Use t.Setenv in tests
codingllama
added a commit
that referenced
this pull request
Jun 8, 2022
Avoid "input swallowing" bugs by disabling stdin hijacking by default. Only `tsh login` is allowed to hijack stdin, as it is expected to exit right after authentication. Any MFA authentication attempts resulting from non-`tsh login` invocations default to the user's strongest auth method. Defaulting to the strongest auth method can cause problems in constrained environments for users that have both Webauthn and OTP registered. For example, someone using `tsh` under WSL (Windows Subsystem for Linux) or a remote machine could be locked into Webauthn MFA, which they can't use because their environment lacks USB access or they don't have physical access to it. In order to solve this problem I've slightly modified the meaning of the `--mfa-mode` flag so `otp` can be specified. The `TELEPORT_MFA_MODE` environment variable may be set to avoid constant flag passing. Fixes #12675 and #13021. * Expand --mfa-mode and disable stdin hijack by default * Use TELEPORT_ instead of TSH_ for FIDO2 env var * Use t.Setenv in tests
codingllama
added a commit
that referenced
this pull request
Jun 8, 2022
…13212) Avoid "input swallowing" bugs by disabling stdin hijacking by default. Only `tsh login` is allowed to hijack stdin, as it is expected to exit right after authentication. Any MFA authentication attempts resulting from non-`tsh login` invocations default to the user's strongest auth method. Defaulting to the strongest auth method can cause problems in constrained environments for users that have both Webauthn and OTP registered. For example, someone using `tsh` under WSL (Windows Subsystem for Linux) or a remote machine could be locked into Webauthn MFA, which they can't use because their environment lacks USB access or they don't have physical access to it. In order to solve this problem I've slightly modified the meaning of the `--mfa-mode` flag so `otp` can be specified. The `TELEPORT_MFA_MODE` environment variable may be set to avoid constant flag passing. * Expand --mfa-mode and disable stdin hijack by default (#13134) * Use TeleportClient.PromptMFAChallenge where applicable * Adapt/backport tests and fix prefer OTP * Appease linter
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Avoid "input swallowing" bugs by disabling stdin hijacking by default.
Only
tsh loginis allowed to hijack stdin, as it is expected to exit right after authentication. Any MFA authentication attempts resulting from non-tsh logininvocations default to the user's strongest auth method.Defaulting to the strongest auth method can cause problems in constrained environments for users that have both Webauthn and OTP registered. For example, someone using
tshunder WSL (Windows Subsystem for Linux) or a remote machine could be locked into Webauthn MFA, which they can't use because their environment lacks USB access or they don't have physical access to it. In order to solve this problem I've slightly modified the meaning of the--mfa-modeflag sootpcan be specified.The
TELEPORT_MFA_MODEenvironment variable may be set to avoid constant flag passing.Fixes #12675 and #13021.