Closed zmb3 closed 11 months ago
Headless login is only available with webauthn as noted in the RFD:
Headless authentication, like any login mechanism, can be started by any unauthenticated user. To prevent phishing attacks, we
must prompt the user to acknowledge and approve each headless authentication request with WebAuthn, since WebAuthn
provides strong protection against phishing attacks. Legacy OTP MFA methods will not be supported.
We do support WebAuthn on Windows since @tobiaszheller's work on Windows/Passwordless, so I'd look at how the binaries are built and if WebAuthn.dll or user32.dll are missing (seems pretty unlikely to me).
Could you try tsh webauthnwin diag
?
Tobiasz may have better input here too.
The output of tsh webauthnwin diag
is pasted in the description.
@Joerger, yes, webauthn is required for headless login, but only from the machine approving the request, not from the machine running tsh login --headless
.
The webauthn.dll is definitely present.
@zmb3 @codingllama I am debugging it right now. It seems that WebAuthn.dll
is preset on windows server but it's returning A device attached to the system is not functioning
and cannot be called. I will post update when I know why it's returning that error.
Thanks Tobiasz. It may not be supported in virtualized environments, which is fine (though we could probably raise a better error if this is the case).
My intent is actually to use headless here because I can't use webauthn over RDP anyway (yet).
Sorry, I didn't catch the details of this issue the first time around. tsh --headless login
is not a supported use case, you can only perform ls
, ssh
, or scp
. Right now there is only a debug log, and it defaults back to local password/mfa login.
log.Debug("Headless login is disabled for this command. Only 'tsh ls', 'tsh ssh', and 'tsh scp' are supported. Defaulting to local authentication methods.")
I figured there would be some situations where a user would have $TELEPORT_HEADLESS=true
set, but they'd want to do some other command that doesn't require MFA like normal. This is probably such an edge case that we can return the error instead. WDYT?
Yes, I think the only action here is to surface the error that headless is not available for the login command.
Fixed on master, backports are out, so closing.
On Windows,
tsh login --headless
issues the following error:This is with
tsh.exe
v13.1.1 from our downloads page:This is on Windows Server 2022:
I think there's two issues here: