Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v12] Fix issuing credentials for non SSH protocols #25430

Merged
merged 1 commit into from May 1, 2023
Merged

[v12] Fix issuing credentials for non SSH protocols #25430

merged 1 commit into from May 1, 2023

Conversation

rosstimothy
Copy link
Contributor

@rosstimothy rosstimothy commented May 1, 2023
edited

When MFA is not required for protocols other than SSH tsh needs to fallback to reissuing certificates without MFA instead of preventing access.

Closes #25419

Note: This applies directly to v12 and is not a backport. The issue only exists on branch/v12 and branch/v11 due to incorrectly backporting the logic in #24250 to these branches.

@rosstimothy
Fix issuing credentials for non SSH protocols
c59e283 
When MFA is not required for protocols other than SSH `tsh` needs to
fallback to reissuing certificates without MFA instead of preventing
access.

Closes #25419
@rosstimothy rosstimothy changed the title Fix issuing credentials for non SSH protocols [v12] Fix issuing credentials for non SSH protocols May 1, 2023
rosstimothy
rosstimothy commented May 1, 2023
View reviewed changes
lib/client/client.go
Comment on lines 545 to +554
if !check.Required {
return nil, trace.Wrap(services.ErrSessionMFANotRequired)
log.Debug("MFA not required for access.")
// MFA is not required.
// SSH certs can be used without embedding the node name.
if params.usage() == proto.UserCertsRequest_SSH && key.Cert != nil {
return key, nil
}
// All other targets need their name embedded in the cert for routing,
// fall back to non-MFA reissue.
return proxy.reissueUserCerts(ctx, CertCacheKeep, params)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This now matches the behavior on branch/v13 and master:

teleport/lib/client/client.go

Lines 499 to 509 in a0773f9

if !requiredCheck.Required {
log.Debug("MFA not required for access.")
// MFA is not required.
// SSH certs can be used without embedding the node name.
if params.usage() == proto.UserCertsRequest_SSH && key.Cert != nil {
return key, nil
}
// All other targets need their name embedded in the cert for routing,
// fall back to non-MFA reissue.
return proxy.reissueUserCerts(ctx, CertCacheKeep, params)
}

@rosstimothy rosstimothy marked this pull request as ready for review May 1, 2023 19:25
@rosstimothy rosstimothy added this pull request to the merge queue May 1, 2023
Merged via the queue into branch/v12 with commit dbf40cb May 1, 2023
20 checks passed
@rosstimothy rosstimothy deleted the tross/v12/fix_tsh_kube_creds branch May 1, 2023 21:13
rosstimothy added a commit that referenced this pull request May 4, 2023
@rosstimothy
Fix Web UI error message when host is offline
4e9e540 
This change was missed in #25430
when backporting to v12.

Closes #25648
@rosstimothy rosstimothy mentioned this pull request May 4, 2023
Merged
rosstimothy added a commit that referenced this pull request May 8, 2023
@rosstimothy
Fix Web UI error message when host is offline (#25661)
c6bd7a0 
This change was missed in #25430
when backporting to v12.

Closes #25648
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@r0mant r0mant r0mant approved these changes

@zmb3 zmb3 zmb3 approved these changes

Assignees
No one assigned
Labels
backport size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rosstimothy @r0mant @zmb3