Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Attempt ssh connections with and without mfa at the same time
`tsh ssh` would fallback to doing the mfa ceremony if connecting to the node with the already provisioned certificates failed with an access denied error. This incurs the cost of a round trip to the target host when per session mfa is required. To combat the additional latency when per session mfa is required we can attempt both the connection with the certs on hand AND start the per session mfa flow at the same time. If per session mfa is not required the client won't attempt the mfa ceremony which adds no impact there. If per session mfa is required the initial connection to the host is going to fail so the mfa ceremony will need to be performed any how. For this to work we need to ensure that users are not prompted for mfa if completing the mfa ceremony will not actually help the user gain access to the host. If users just flat out do not have access to the host we don't want to confuse them by prompting them to touch a hardware key. Since `tsh` first calls `proto.AuthService/IsMFARequired` before initiating the mfa ceremony we are guaranteed not to initiate the mfa ceremony when not required.
- Loading branch information
1 parent
7c6d95e
commit 2683fbb
Showing
3 changed files
with
411 additions
and
185 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.