Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tsh --headless should work when local auth disabled #37063

Closed
programmerq opened this issue Jan 23, 2024 · 0 comments · Fixed by #41933
Closed

tsh --headless should work when local auth disabled #37063

programmerq opened this issue Jan 23, 2024 · 0 comments · Fixed by #41933
Labels
bug headless-sso tsh tsh - Teleport's command line tool for logging into nodes running Teleport.

Comments

@programmerq
Copy link
Contributor

When local auth is disabled, tsh --headless does not work. It errors out saying ERROR: local auth disabled

When local auth is enabled, it is possible to use tsh --headless with an SSO user. They just need to add an MFA device.

Expected behavior:

% tsh --headless --proxy teleport.example.com --user myssouser@example.com ssh me@mynode hostname
Complete headless authentication in your local web browser:

https://teleport.example.com:443/web/headless/9863bd17-13e2-073a-f13c-6874cc0696af

or execute this command in your local terminal:

tsh headless approve --user=myssouser@example.com --proxy=teleport.example.com:443 9863bd17-13e2-073a-f13c-6874cc0696af
mynode.localdomain

Current behavior:

% tsh --headless --proxy teleport.example.com --user myssouser@example.com ssh me@mynode hostname
Complete headless authentication in your local web browser:

https://teleport.example.com:443/web/headless/9863bd17-13e2-073a-f13c-6874cc0696af

or execute this command in your local terminal:

tsh headless approve --user=myssouser@example.com --proxy=teleport.example.com:443 9863bd17-13e2-073a-f13c-6874cc0696af
ERROR: local auth disabled

Bug details:

  • Teleport version - v14.3.x
  • Recreation steps - disable local auth, add mfa device to SSO user, attempt to use tsh --headless
  • Debug logs
@programmerq programmerq added bug tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Jan 23, 2024
@Joerger Joerger mentioned this issue May 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug headless-sso tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow headless auth when local auth is disabled gravitational/teleport
2 participants
@programmerq @zmb3