Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Single-use certificates from per-session MFA challenges do not seem to work on Recording Proxy mode #8843

Open
chongyangshi opened this issue Nov 3, 2021 · 0 comments
Open

Single-use certificates from per-session MFA challenges do not seem to work on Recording Proxy mode #8843

chongyangshi opened this issue Nov 3, 2021 · 0 comments
Labels
bug mfa Issues related to Multi Factor Authentication

Comments

@chongyangshi
Copy link
Contributor

chongyangshi commented Nov 3, 2021
edited

Description

As a brief background; our organisation is currently evaluating Teleport as a potential access management solution for both SSH and Kubernetes. In the context of this ticket, two of Teleport's features are essential to us:

  • Per-session MFA challenge for some servers, to mitigate the risk of malicious scripts running on client machines by checking for user-presence through U2F hardware
  • Recording Proxy mode using proxy-sync, as we need to prevent potential attackers who are logged into privileged system users via SSH from tempering with SSH session recordings

We've tested the following on both Teleport 7.3.2 and the current Teleport 8 alpha (master branch).

What happened:

With Teleport running inside Kubernetes, the Teleport Auth configuration looks like this:

    teleport:
      data_dir: /var/lib/teleport
      auth_token: /etc/ssl/teleport/auth-invite-token

      log:
        output: stderr
        severity: INFO

      auth_servers:
      - teleport-auth.<namespace>:3025

      connection_limits:
        max_connections: 1000
        max_users: 250

      storage:
        region: <redacted>
        type: dynamodb

        table_name: <redacted>
        audit_sessions_uri: 's3://<redacted>/<redacted>'
        audit_events_uri: ['dynamodb://<redacted>', 'file:///var/lib/teleport/log']

    auth_service:
      enabled: yes

      cluster_name: "<redacted>"

      tokens:
      - "proxy,kube:<redacted>"
      - "auth:<redacted>"
      - "node:<redacted>"

      client_idle_timeout: 1h

      public_addr: 
      - <redacted>

      authentication:
        type: local
        second_factor: optional
        u2f:
            app_id: https://<redacted>:3080
            facets:
            - https://<redacted>:3080
            - https://<redacted>.io
            - <redacted>:3080
            - <redacted>

            device_attestation_cas:
            - |
              -----BEGIN CERTIFICATE-----
              <omitted>
              -----END CERTIFICATE-----

        locking_mode: strict
        local_auth: true

      session_recording: "proxy-sync"
      proxy_checks_host_keys: yes

      keep_alive_interval: 1m
      keep_alive_count_max: 3

      message_of_the_day: ""

Proxy and Node configurations are essentially the default values after auth references are configured, but let me know if seeing them would be helpful.

After configuring local users through Teleport Auth server and registering their MFA tokens with tsh mfa add, we then set a role for the user to require per-session MFA:

kind: role
version: v4
metadata:
  name: test-admin
spec:
  options:
    forward_agent: true
    require_session_mfa: true
  allow:
    logins: ["core"]
    node_labels:
      role: <redacted>
    kubernetes_groups: ["system:masters"]
    kubernetes_labels:
      environment_name: <redacted>
    rules:
      - resources:
          - node
        verbs:
          - list
          - read

Using the local user, we then validate that MFA challenges should be working correctly through Kubernetes access via teleport-proxy:

root@test-VirtualBox:/mnt/Downloads/teleport# ./tsh --insecure -d kube credentials --teleport-cluster=<redacted> --kube-cluster=<redacted>
INFO [CLIENT]    no host login given. defaulting to root client/api.go:1071
ERRO [CLIENT]    [KEY AGENT] Unable to connect to SSH agent on socket: "". client/api.go:2884
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<redacted>/<redacted>-x509.pem" valid until "2021-11-04 02:41:21 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/<redacted>/<redacted>-ssh/<redacted>-cert.pub". client/keystore.go:303
INFO [KEYAGENT]  Loading SSH key for user "<redacted>" and cluster "<redacted>". client/keyagent.go:179
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<redacted>/<redacted>-x509.pem" valid until "2021-11-04 02:41:21 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/<redacted>/<redacted>-kube/<redacted>". client/keystore.go:303
DEBU [TSH]       Requesting TLS cert for kubernetes cluster "<redacted>" tsh/kube.go:104
INFO [CLIENT]    Connecting proxy=<redacted>:3023 login="core" client/api.go:2111
DEBU [KEYAGENT]  "Checking key: <host ssh cert omitted>\n." client/keyagent.go:337
DEBU [KEYAGENT]  Validated host <redacted>:3023. client/keyagent.go:343
INFO [CLIENT]    Successful auth with proxy <redacted>:3023. client/api.go:2118
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<redacted>/<redacted>-x509.pem" valid until "2021-11-04 02:41:21 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/<redacted>/<redacted>-ssh/<redacted>-cert.pub". client/keystore.go:303
DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/<redacted>/<redacted>-kube/<redacted>". client/keystore.go:303
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<redacted>/<redacted>-x509.pem" valid until "2021-11-04 02:41:21 +0000 UTC". client/keystore.go:280
DEBU [CLIENT]    Client  is connecting to auth server on cluster "<redacted>". client/client.go:820
DEBU [CLIENT]    Attempting to issue a single-use user certificate with an MFA check. client/client.go:377
Tap any security key
DEBU [CLIENT]    WebAuthn: prompting U2F devices with origin "https://<redacted>:3080" client/mfa.go:110
DEBU [CLIENT]    Issued single-use user certificate after an MFA check. client/client.go:445
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<redacted>/<redacted>-x509.pem" valid until "2021-11-04 02:41:21 +0000 UTC". client/keystore.go:280
INFO [KEYAGENT]  Loading SSH key for user "<redacted>" and cluster "<redacted>". client/keyagent.go:179
{"kind":"ExecCredential","apiVersion":"client.authentication.k8s.io/v1beta1","spec":{},"status":{"expirationTimestamp":"2021-11-03T15:31:17Z","clientCertificateData":"-----BEGIN CERTIFICATE-----\nMIIE<omitted>

We then attempt to do the same with SSH access:

root@test-VirtualBox:/mnt/Downloads/teleport# ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-dcKRcK7foYm3/agent.1761; export SSH_AUTH_SOCK;
SSH_AGENT_PID=1762; export SSH_AGENT_PID;
echo Agent pid 1762;
root@test-VirtualBox:/mnt/Downloads/teleport# SSH_AUTH_SOCK=/tmp/ssh-dcKRcK7foYm3/agent.1761; export SSH_AUTH_SOCK;
root@test-VirtualBox:/mnt/Downloads/teleport# ssh-add -L
The agent has no identities.

root@test-VirtualBox:/mnt/Downloads/teleport# ./tsh --insecure -d ssh -A core@10.xxx.xx.xxx
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/tmp/ssh-dcKRcK7foYm3/agent.1761" client/api.go:2888
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 03:48:52 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-ssh/<teleport-cluster-name>-cert.pub". client/keystore.go:303
INFO [KEYAGENT]  Loading SSH key for user "<username>" and cluster "<teleport-cluster-name>". client/keyagent.go:179
INFO [CLIENT]    Connecting proxy=<teleport-cluster-hostname>:3023 login="core" client/api.go:2111
DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com <host-ssh-cert>\n." client/keyagent.go:337
DEBU [KEYAGENT]  Validated host <teleport-cluster-hostname>:3023. client/keyagent.go:343
INFO [CLIENT]    Successful auth with proxy <teleport-cluster-hostname>:3023. client/api.go:2118
DEBU [CLIENT]    Found clusters: [{"name":"<teleport-cluster-name>","lastconnected":"2021-11-03T15:49:27.965647308Z","status":"online"}] client/client.go:110
INFO [CLIENT]    Client= connecting to node=10.xxx.xx.xxx on cluster <teleport-cluster-name> client/client.go:925
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 03:48:52 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 03:48:52 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-ssh/<teleport-cluster-name>-cert.pub". client/keystore.go:303
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 03:48:52 +0000 UTC". client/keystore.go:280
DEBU [CLIENT]    Client  is connecting to auth server on cluster "<teleport-cluster-name>". client/client.go:820
DEBU [CLIENT]    Attempting to issue a single-use user certificate with an MFA check. client/client.go:377
Tap any security key
DEBU [CLIENT]    WebAuthn: prompting U2F devices with origin "https://<teleport-cluster-hostname>:3080" client/mfa.go:110
DEBU [CLIENT]    Issued single-use user certificate after an MFA check. client/client.go:445
DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com <host-ssh-cert>\n." client/keyagent.go:337
DEBU [KEYAGENT]  Validated host 10.xxx.xx.xxx:0@default@<teleport-cluster-name>. client/keyagent.go:343
DEBU [CLIENT]    Activating relogin on ssh: rejected: connect failed (ssh: handshake failed: ssh: unable to authenticate, attempted methods [none publickey], no supported methods remain). client/api.go:484
DEBU [CLIENT]    not using loopback pool for remote proxy addr: <teleport-cluster-hostname>:3080 client/api.go:2849
DEBU             Attempting GET <teleport-cluster-hostname>:3080/webapi/ping webclient/webclient.go:62
Enter password for Teleport user <username>:
root@test-VirtualBox:/mnt/Downloads/teleport#

root@test-VirtualBox:/mnt/Downloads/teleport# ssh-add -L
ssh-rsa-cert-v01@openssh.com <client-ssh-cert> teleport:<username>
ssh-rsa <client-public-key> teleport:<username>

It appears that Teleport Auth server has correctly notified the tsh client that it needs to perform an MFA verification for the SSH session, and tsh indeed requested a U2F challenge and sent the resulting signature back. A single-use certificate for connecting to the target node was issued by Teleport Auth Server. But the client then hit an auth error when performing the SSH connecting, resulting in an automatic relogin retry, which will still fail. The Teleport Auth logs during the process looks like this:

2021-11-03T15:49:17Z DEBU [AUTH]      ClientCertPool -> cert(<teleport-cluster-name> issued by <teleport-cluster-name>:328076472922566416763873844844104889916) auth/middleware.go:619
2021-11-03T15:49:17Z DEBU [AUTH]      ClientCertPool -> cert(<teleport-cluster-name> issued by <teleport-cluster-name>:207881821661131457649328474509369657414) auth/middleware.go:619
2021-11-03T15:49:17Z DEBU [AUTH:1]    Server certificate cert(51fb11fc-9576-47e6-b2fd-a47e6376cb3f.<teleport-cluster-name> issued by <teleport-cluster-name>:328076472922566416763873844844104889916). auth/middleware.go:300
2021-11-03T15:49:17Z DEBU [RBAC]      Access to node "7d42512b-1dcf-4e1c-8601-9c6e203c4db9" denied, role "test-admin" requires per-session MFA services/role.go:1669
2021-11-03T15:49:17Z DEBU [DYNAMODB]  Got 1 new stream shard records. dynamo/shards.go:231
2021-11-03T15:49:18Z DEBU [DYNAMODB]  Got 1 new stream shard records. dynamo/shards.go:231
2021-11-03T15:49:19Z DEBU [KEYGEN]    generated user key for [core] with expiry on (1635954619) 2021-11-03 15:50:19.488529592 +0000 UTC native/native.go:256
2021-11-03T15:49:19Z INFO [CA]        Generating TLS certificate {0x720f790 0xc00120c180 1.3.9999.1.9=<client-ip-hash>,1.3.9999.1.8=#132466643236323761352d336365332d343037622d613264622d323862386436363462363964,1.3.9999.1.7=<teleport-cluster-name-hex>,1.3.9999.1.3=<kubernetes-cluster-name-hex>,1.3.9999.1.2=<kubernetes-cluster-role-hex>,CN=<username>,O=test-admin,POSTALCODE={\"kubernetes_groups\":[\"\"]\,\"kubernetes_users\":[\"\"]\,\"logins\":[\"core\"]},STREET=<teleport-cluster-name>,L=core,ST=system:masters 2021-11-03 15:50:17.848250184 +0000 UTC [] [] 5 []}. common_name:<username> dns_names:[] locality:[core] not_after:2021-11-03 15:50:17.848250184 +0000 UTC org:[test-admin] org_unit:[] tlsca/ca.go:650
2021-11-03T15:49:19Z DEBU [KEYGEN]    Generated SSH host certificate for role Node with principals: [10.xxx.xx.xxx.<teleport-cluster-name> 10.xxx.xx.xxx localhost 127.0.0.1 ::1 7d42512b-1dcf-4e1c-8601-9c6e203c4db9.<teleport-cluster-name>]. native/native.go:231
2021-11-03T15:49:19Z DEBU [DYNAMODB]  Got 2 new stream shard records. dynamo/shards.go:231
2021-11-03T15:49:20Z INFO [AUDIT]     auth addr.local:10.xxx.xx.xxx:3022 addr.remote:<client-ip>:44742 cluster_name:<teleport-cluster-name> code:T3007W ei:0 error:[user <username>@<teleport-cluster-name> is not authorized to login as core@<teleport-cluster-name>: access to resource requires MFA] event:auth login:core success:false time:2021-11-03T15:49:20.407Z uid:e272c7a6-090c-44bc-88fe-6d44c1861699 user:<username> events/emitter.go:324

From server logs, the 1.3.9999.1.8 field (MFAVerified) expected by the RBAC authorizer in Teleport Auth server seems to be present in the single use certificates issued to the client; but in recording proxy mode the client seems to hit a public key auth failure regardless; without further logs we are not able to determine where this failure happened, and this behaviour does not seem to have been documented explicitly for the proxy recording mode in https://goteleport.com/docs/architecture/proxy/#recording-proxy-mode.

We repeated the above test without -A agent forwarding flag for tsh ssh, and the same errors happened.

Logs from the Teleport Node server that is the target of the SSH connection show the following:

2021-11-03T18:01:24Z ERRO [NODE]      Permission denied: user <username>@<teleport-cluster-name> is not authorized to login as core@<teleport-cluster-name>: access to resource requires MFA fingerprint:ssh-rsa-cert-v01@openssh.com SHA256:deW4Cb3SI+YVq2BZ5BZDhDFgkE8UVjcsdKxIiRbtFw0 local:10.xxx.xx.xxx:3022 remote:<client-ip>:36548 user:core srv/authhandlers.go:309
2021-11-03T18:01:24Z INFO [AUDIT]     auth addr.local:10.xxx.xx.xxx:3022 addr.remote:<client-ip>:36548 code:T3007W ei:0 error:[user <username>@<teleport-cluster-name> is not authorized to login as core@<teleport-cluster-name>: access to resource requires MFA] event:auth login:core success:false time:2021-11-03T18:01:24.248Z uid:475bcdce-ca38-4468-adce-91e17a161811 user:<username> events/emitter.go:324

(captured from a later attempt)

There seems to be nothing relevant in logs of Teleport Proxy servers.

What you expected to happen:

When we switch the above Teleport Auth server config from session_recording: 'proxy-sync' to session_recording: 'node-sync', per-session MFA seems to work as expected:

root@test-VirtualBox:/mnt/Downloads/teleport# ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-TI1IakNBcnmC/agent.2468; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2469; export SSH_AGENT_PID;
echo Agent pid 2469;
root@test-VirtualBox:/mnt/Downloads/teleport# SSH_AUTH_SOCK=/tmp/ssh-TI1IakNBcnmC/agent.2468; export SSH_AUTH_SOCK;

root@test-VirtualBox:/mnt/Downloads/teleport# ./tsh -d ssh -A core@10.xxx.xx.xxx
INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/tmp/ssh-TI1IakNBcnmC/agent.2468" client/api.go:2888
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 05:28:13 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-ssh/<teleport-cluster-name>-cert.pub". client/keystore.go:303
INFO [KEYAGENT]  Loading SSH key for user "<username>" and cluster "<teleport-cluster-name>". client/keyagent.go:179
INFO [CLIENT]    Connecting proxy=<teleport-cluster-hostname>:3023 login="core" client/api.go:2111
DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com <host-ssh-cert>\n." client/keyagent.go:337
DEBU [KEYAGENT]  Validated host <teleport-cluster-hostname>:3023. client/keyagent.go:343
INFO [CLIENT]    Successful auth with proxy <teleport-cluster-hostname>:3023. client/api.go:2118
DEBU [CLIENT]    Found clusters: [{"name":"<teleport-cluster-name>","lastconnected":"2021-11-03T17:29:07.449220691Z","status":"online"}] client/client.go:110
INFO [CLIENT]    Client= connecting to node=10.xxx.xx.xxx on cluster <teleport-cluster-name> client/client.go:925
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 05:28:13 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 05:28:13 +0000 UTC". client/keystore.go:280
DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-ssh/<teleport-cluster-name>-cert.pub". client/keystore.go:303
DEBU [KEYSTORE]  Returning Teleport TLS certificate "/root/.tsh/keys/<teleport-cluster-hostname>/<username>-x509.pem" valid until "2021-11-04 05:28:13 +0000 UTC". client/keystore.go:280
DEBU [CLIENT]    Client  is connecting to auth server on cluster "<teleport-cluster-name>". client/client.go:820
DEBU [CLIENT]    Attempting to issue a single-use user certificate with an MFA check. client/client.go:377
Tap any security key
DEBU [CLIENT]    WebAuthn: prompting U2F devices with origin "https://<teleport-cluster-hostname>:3080" client/mfa.go:110
DEBU [CLIENT]    Issued single-use user certificate after an MFA check. client/client.go:445
DEBU [KEYAGENT]  "Checking key: ssh-rsa-cert-v01@openssh.com <host-ssh-cert>\n." client/keyagent.go:337
DEBU [KEYAGENT]  Validated host 10.xxx.xx.xxx:0@default@<teleport-cluster-name>. client/keyagent.go:343
DEBU [CLIENT]    Selecting system key agent. client/session.go:223
DEBU [CLIENT]    Forwarding Selected Key Agent client/session.go:204
core@ip-10-xxx-xx-xxx ~ $ ls

and on server side:

2021-11-03T17:29:07Z DEBU [AUTH]      ClientCertPool -> cert(<teleport-cluster-name> issued by <teleport-cluster-name>:328076472922566416763873844844104889916) auth/middleware.go:619
2021-11-03T17:29:07Z DEBU [AUTH]      ClientCertPool -> cert(<teleport-cluster-name> issued by <teleport-cluster-name>:207881821661131457649328474509369657414) auth/middleware.go:619
2021-11-03T17:29:07Z DEBU [AUTH:1]    Server certificate cert(6870e45f-4966-46db-a35b-5e6f3fe08dd2.<teleport-cluster-name> issued by <teleport-cluster-name>:328076472922566416763873844844104889916). auth/middleware.go:300
2021-11-03T17:29:07Z DEBU [RBAC]      Access to node "7d42512b-1dcf-4e1c-8601-9c6e203c4db9" denied, role "test-admin" requires per-session MFA services/role.go:1669
2021-11-03T17:29:08Z DEBU [DYNAMODB]  Got 1 new stream shard records. dynamo/shards.go:231
2021-11-03T17:29:10Z DEBU [KEYGEN]    generated user key for [core] with expiry on (1635960610) 2021-11-03 17:30:10.188318167 +0000 UTC native/native.go:256
2021-11-03T17:29:10Z INFO [CA]        Generating TLS certificate {0x720f790 0xc0010902c0 1.3.9999.1.9=<client-ip-hex>,1.3.9999.1.8=#132466643236323761352d336365332d343037622d613264622d323862386436363462363964,1.3.9999.1.7=<teleport-cluster-name-hex>,1.3.9999.1.3=<kubernetes-cluster-name-hex>,1.3.9999.1.2=<kubernetes-cluster-role-hex,CN=<username>,O=test-admin,POSTALCODE={\"kubernetes_groups\":[\"\"]\,\"kubernetes_users\":[\"\"]\,\"logins\":[\"core\"]},STREET=<teleport-cluster-name>,L=core,ST=system:masters 2021-11-03 17:30:07.978296874 +0000 UTC [] [] 5 []}. common_name:<username> dns_names:[] locality:[core] not_after:2021-11-03 17:30:07.978296874 +0000 UTC org:[test-admin] org_unit:[] tlsca/ca.go:650

(...)
2021-11-03T17:29:11Z INFO [AUDIT]     session.start addr.local:10.xxx.xx.xxx:3022 addr.remote:<client-ip>:54562 cluster_name:<teleport-cluster-name> code:T2000I ei:0 event:session.start login:core namespace:default server_addr:10.xxx.xx.xxx:3022 server_hostname:10.xxx.xx.xxx server_id:7d42512b-1dcf-4e1c-8601-9c6e203c4db9 server_labels:map[role:<redacted>] session_recording:node-sync sid:079bf380-dc7d-425c-ad58-33dcc3cde7e1 size:80:24 time:2021-11-03T17:29:11.68Z uid:5050747a-cad0-489e-a78f-1ad982e62e05 user:<username> events/emitter.go:324

We would have expected this to work the same way on recording proxy mode.

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

  1. Enable MFA in Teleport 7.3.2 or Teleport 8 alpha
  2. Enable Recording Proxy mode with session_recording: 'proxy-sync'
  3. Verify that Kubernetes service works as expected after MFA challenge
  4. Observe that SSH service fails to work as expected after MFA challenge

Server Details

  • Teleport version (run teleport version): both Teleport 7.3.2 and Teleport 8 alpha (built from master branch at time of writing, Teleport v8.0.0-alpha.1 git:v8.0.0-alpha.1-142-g89a08c439 go1.17.2), the logs above are captured from Teleport 8.
  • Server OS (e.g. from /etc/os-release): Flatcar Container Linux 2512
  • Where are you running Teleport? (e.g. AWS, GCP, Dedicated Hardware): Kubernetes on AWS
  • Additional details:

Client Details

  • Tsh version (tsh version): both Teleport 7.3.2 and Teleport 8 beta (master branch at time of writing), the logs above are captured from Teleport 8 client (Teleport v8.0.0-beta.2 git:v8.0.0-beta.2-0-g8383bdaeb go1.17.2)
  • Computer OS (e.g. Linux, macOS, Windows): Same issues observed on macOS 11.6 and the Ubuntu 20.04 Desktop client seen in above logs
  • Browser version (for UI-related issues): web UI not used
  • Installed via (e.g. apt, yum, brew, website download): website download
  • Additional details:

Debug Logs

Please include or attach debug logs, when appropriate. Obfuscate sensitive information!

  • Start Teleport with --debug flag (teleport --debug)
  • Run tsh with --debug flag (tsh --debug)

Included in behaviour sections above.

Please let me know if you need further information, thank you.
@zmb3 zmb3 added the mfa Issues related to Multi Factor Authentication label Nov 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug mfa Issues related to Multi Factor Authentication
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zmb3 @chongyangshi @Joerger