Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

disconnect_expired_cert: yes and require_session_mfa: yes can't harmoniously exist on one cluster #18544

Closed
ibeckermayer opened this issue Nov 17, 2022 · 5 comments · Fixed by #18607
Closed

disconnect_expired_cert: yes and require_session_mfa: yes can't harmoniously exist on one cluster #18544

ibeckermayer opened this issue Nov 17, 2022 · 5 comments · Fixed by #18607
Assignees
@ibeckermayer
Labels
bug c-bs Internal Customer Reference mfa Issues related to Multi Factor Authentication

Comments

@ibeckermayer
Copy link
Contributor

If an auth service has both disconnect_expired_cert and require_session_mfa enabled, users are consistently kicked out of their sessions after about a minute (across features). The issue is that with per-session mfa we typically issue 1 minute-lived certs per session, which disconnect_expired_cert then identifies as expired and boots the user out.

The proposed solution is that some metadata can be added to the MFA cert that contains the original TTL of the user cert that made the request. New sessions using the MFA cert can still be denied based on the MFA cert TTL, but existing sessions can be closed based on the original TTL of the user cert when disconnected_expired_certs is enabled and the original TTL of the user cert is present. (credit to @dboslee for this proposal).
@ibeckermayer ibeckermayer self-assigned this Nov 17, 2022
@ibeckermayer ibeckermayer mentioned this issue Nov 18, 2022
Merged
5 tasks
@Erick-Reyes Erick-Reyes added the c-bs Internal Customer Reference label Nov 18, 2022
@zmb3 zmb3 added the mfa Issues related to Multi Factor Authentication label Nov 29, 2022
@ibeckermayer
Copy link
Contributor Author

@claudioscalzo @daquinoaldo do you know which major version of teleport you're using (v11/v10/v9)?

@daquinoaldo
Copy link
Contributor

@ibeckermayer, CLI v11, Agent v10, Cloud cluster v10 (it should auto-update soon to v11 as per Agent documentation, then we will bump agents).

@daquinoaldo
Copy link
Contributor

@ibeckermayer could you ping me when you release it on v10/v11?

@ibeckermayer
Copy link
Contributor Author

ibeckermayer commented Dec 12, 2022
edited
Loading

@daquinoaldo v11's backport is merged and so this will available in the next release. I'm planning to get v10 merged today and so it should be in the next v10 release.

v10 and v11 backports are merged so the fix will be in the next release. There will be a bullet point in the respective release notes to confirm.

@daquinoaldo
Copy link
Contributor

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ibeckermayer ibeckermayer

Labels
bug c-bs Internal Customer Reference mfa Issues related to Multi Factor Authentication
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixes dissonance between disconnect_expired_cert vs require_session_mfa gravitational/teleport
4 participants
@zmb3 @ibeckermayer @daquinoaldo @Erick-Reyes