[v9] Expand --mfa-mode and disable stdin hijack by default (#13134) #13212
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
tsh
|
Note to reviewers: this part of the codebase was refactored on master, so the backport isn't completely clean. I've removed mentions to FIDO2/AuthenticationAttachment (added in v10) and did a couple tweaks in the commits after the cherry pick (tests, in particular, are rather different between v9 and v10). |
codingllama
force-pushed
the
codingllama/v9-sessionmfa-input
branch
from
25fc729 to
efc7df8
Compare
zmb3
approved these changes
Jun 7, 2022
Tener
approved these changes
Jun 8, 2022
Avoid "input swallowing" bugs by disabling stdin hijacking by default. Only `tsh login` is allowed to hijack stdin, as it is expected to exit right after authentication. Any MFA authentication attempts resulting from non-`tsh login` invocations default to the user's strongest auth method. Defaulting to the strongest auth method can cause problems in constrained environments for users that have both Webauthn and OTP registered. For example, someone using `tsh` under WSL (Windows Subsystem for Linux) or a remote machine could be locked into Webauthn MFA, which they can't use because their environment lacks USB access or they don't have physical access to it. In order to solve this problem I've slightly modified the meaning of the `--mfa-mode` flag so `otp` can be specified. The `TELEPORT_MFA_MODE` environment variable may be set to avoid constant flag passing. Fixes #12675 and #13021. * Expand --mfa-mode and disable stdin hijack by default * Use TELEPORT_ instead of TSH_ for FIDO2 env var * Use t.Setenv in tests
codingllama
force-pushed
the
codingllama/v9-sessionmfa-input
branch
from
3e5dcaf to
0ad94f7
Compare
codingllama
added a commit
that referenced
this pull request
Jun 8, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Avoid "input swallowing" bugs by disabling stdin hijacking by default.
Only
tsh loginis allowed to hijack stdin, as it is expected to exit rightafter authentication. Any MFA authentication attempts resulting from
non-
tsh logininvocations default to the user's strongest auth method.Defaulting to the strongest auth method can cause problems in constrained
environments for users that have both Webauthn and OTP registered. For example,
someone using
tshunder WSL (Windows Subsystem for Linux) or a remote machinecould be locked into Webauthn MFA, which they can't use because their
environment lacks USB access or they don't have physical access to it. In order
to solve this problem I've slightly modified the meaning of the
--mfa-modeflag so
otpcan be specified.The
TELEPORT_MFA_MODEenvironment variable may be set to avoid constant flagpassing.
#13021