New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Attempt ssh connections with and without mfa at the same time #23865
Conversation
8768a3b
to
f4bdad9
Compare
lib/client/api.go
Outdated
clt, err := tc.connectToNodeWithMFA(ctx, proxyClient, nodeDetails, user, details) | ||
return clt, trace.Wrap(err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 It so much cleaner now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems that UT is broken:
{"caller":"web/terminal.go:699","component":"websocket","error":"access denied to root connecting to a31f1bb3-4bdb-4d37-b592-9258578d6bd0:0, close tcp 127.0.0.1:60034-\u003e127.0.0.1:37117: use of closed network connection","level":"warning","message":"Unable to stream terminal - failure connecting to host","session_id":"89ef396c-f46b-4d49-874c-ab2a54720f8c","timestamp":"2023-03-31T13:44:13Z"}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x58ba51e]
goroutine 31640 [running]:
github.com/gravitational/teleport/lib/client.(*NodeClient).RunInteractiveShell(0x0, {0x93c90d8, 0xc01dd3a330}, {0x7af6eaf, 0x4}, {0x0, 0x0})
/__w/teleport/teleport/lib/client/client.go:1604 +0x11e
github.com/gravitational/teleport/lib/web.(*TerminalHandler).streamTerminal(0xc0099338c0, 0xc003ed7520?, 0xc0013c7860?)
/__w/teleport/teleport/lib/web/terminal.go:705 +0x42b
created by github.com/gravitational/teleport/lib/web.(*TerminalHandler).handler
/__w/teleport/teleport/lib/web/terminal.go:425 +0xbfa
FAIL github.com/gravitational/teleport/lib/web 144.483s
===================================================
Makefile:617: recipe for target 'test-go-unit' failed
61b4c19
to
dc1ff24
Compare
@atburke PTAL |
`tsh ssh` would fallback to doing the mfa ceremony if connecting to the node with the already provisioned certificates failed with an access denied error. This incurs the cost of a round trip to the target host when per session mfa is required. To combat the additional latency when per session mfa is required we can attempt both the connection with the certs on hand AND start the per session mfa flow at the same time. If per session mfa is not required the client won't attempt the mfa ceremony which adds no impact there. If per session mfa is required the initial connection to the host is going to fail so the mfa ceremony will need to be performed any how. For this to work we need to ensure that users are not prompted for mfa if completing the mfa ceremony will not actually help the user gain access to the host. If users just flat out do not have access to the host we don't want to confuse them by prompting them to touch a hardware key. Since `tsh` first calls `proto.AuthService/IsMFARequired` before initiating the mfa ceremony we are guaranteed not to initiate the mfa ceremony when not required.
a9174ee
to
42ba8a1
Compare
42ba8a1
to
be99cb6
Compare
@@ -3849,6 +3849,7 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error { | |||
} | |||
|
|||
tlscfg := serverTLSConfig.Clone() | |||
setupTLSConfigClientCAsForCluster(tlscfg, accessPoint, clusterName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably not a big deal but setupTLSConfigClientCAsForCluster
sets tlsClone.ClientAuth = tls.VerifyClientCertIfGiven
which conflict with next line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will cause issues in tests that rely on insecure dev mode. The grpc clients will all be rejected due to a cert signed by unknown authority error and we will fall back to using ssh. I've fixed this in #24195.
tsh ssh
would fallback to doing the mfa ceremony if connecting to the node with the already provisioned certificates failed with an access denied error. This incurs the cost of a round trip to the target host when per session mfa is required. To combat the additional latency when per session mfa is required we can attempt both the connection with the certs on hand AND start the per session mfa flow at the same time. If per session mfa is not required the client won't attempt the mfa ceremony which adds no impact there. If per session mfa is required the initial connection to the host is going to fail so the mfa ceremony will need to be performed any how.For this to work we need to ensure that users are not prompted for mfa if completing the mfa ceremony will not actually help the user gain access to the host. If users just flat out do not have access to the host we don't want to confuse them by prompting them to touch a hardware key. Since
tsh
first callsproto.AuthService/IsMFARequired
before initiating the mfa ceremony we are guaranteed not to initiate the mfa ceremony when not required.