tctl [v16] fails if device mode "required" is set in the config file #44089

codingllama · 2024-07-11T18:47:08Z

Expected behavior:

tctl works in all scenarios.

Current behavior:

tctl using the user's identity works:

$ tctl users ls
> User                          Roles                                
> ----------------------------- ------------------------------------ 
> llama                         access,editor

tctl using a config file fails:

$ TELEPORT_CONFIG_FILE=/path/to/teleport.yaml tctl users ls
> ERROR: device trust mode "required" requires Teleport Enterprise

tctl Enterprise v15, with the same invocation as above, works:

$ tctl15 version
> Teleport Enterprise v15.4.9 git:v15.4.9-0-gaea5781 go1.22.5

$ TELEPORT_CONFIG_FILE=/path/to/teleport.yaml tctl15 users ls
> User                          Roles                                
> ----------------------------- ------------------------------------ 
> alpaca                        access,editor,require-trusted-device

A certain conjunction of factors has to be present for the failure to happen:

tctl is build with "OSS modules" (always true for v16+)
A teleport config file is used (not user identity)
The teleport config file is Enterprise and has device_trust.mode=required set

version: v1
teleport:
  # not relevant

auth_service:
  # not relevant, except for
  enabled: "yes"
  authentication:
    device_trust:
      mode: required

This hits the following lines, in sequence:

teleport/tool/tctl/common/tctl.go

Line 325 in 3c0b25a

if err = config.ApplyFileConfig(fileConf, cfg); err != nil {
teleport/lib/config/configuration.go

Line 614 in 3c0b25a

err = applyAuthConfig(fc, cfg)
teleport/lib/config/configuration.go

Line 949 in 3c0b25a

if err := dtconfig.ValidateConfigAgainstModules(cfg.Auth.Preference.GetDeviceTrust()); err != nil {
teleport/lib/devicetrust/config/config.go

Line 54 in 3c0b25a

return trace.BadParameter("device trust mode %q requires Teleport Enterprise", dt.Mode)

which then make the invocation fail, as the binary modules don't match the configuration.

Bug details:

Teleport version: v16+
Recreation steps: see above
Debug logs: not necessary / see above

codingllama · 2024-07-12T14:02:05Z

All backports are out. Good to close once v16 lands.

codingllama added bug devicetrust platform-security labels Jul 11, 2024

codingllama mentioned this issue Jul 11, 2024

fix: Move module-based device trust check to the teleport binary #44105

Merged

codingllama self-assigned this Jul 11, 2024

This was referenced Jul 12, 2024

[v16] fix: Move module-based device trust check to the teleport binary #44133

Merged

[v15] fix: Move module-based device trust check to the teleport binary #44134

Merged

[v14] fix: Move module-based device trust check to the teleport binary #44136

Merged

zmb3 closed this as completed Jul 16, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tctl [v16] fails if device mode "required" is set in the config file #44089

tctl [v16] fails if device mode "required" is set in the config file #44089

codingllama commented Jul 11, 2024 •

edited

Loading

codingllama commented Jul 12, 2024

tctl [v16] fails if device mode "required" is set in the config file #44089

tctl [v16] fails if device mode "required" is set in the config file #44089

Comments

codingllama commented Jul 11, 2024 • edited Loading

codingllama commented Jul 12, 2024

codingllama commented Jul 11, 2024 •

edited

Loading