tsh login --headless doesn't work on windows

[zmb3]

On Windows, tsh login --headless issues the following error:

>.\tsh.exe login --proxy teleport.example.com --user zac@example.com --headless
Enter password for Teleport user zac@example.com:
ERROR: hardware device MFA not supported by your platform, please register an OTP device

This is with tsh.exe v13.1.1 from our downloads page:

> tsh.exe version
Teleport v13.1.1 git:api/v13.1.1-0-gef700dd83f go1.20.4

This is on Windows Server 2022:

OS Name:                   Microsoft Windows Server 2022 Datacenter
OS Version:                10.0.20348 N/A Build 20348

I think there's two issues here:

1. tsh doesn't think webauthn is available (cc @tobiaszheller @codingllama)
2. even if webauthn is not available, this should not preclude the use of headless login (cc @Joerger)

>.\tsh.exe webauthnwin diag

WebauthnWin available: false
Compile support: true
DLL API version: 0
Has platform UV: false

>.\tsh.exe fido2 diag

FIDO2 available: false
Register successful? false
Login successful? false

[Joerger]

Headless login is only available with webauthn as noted in the RFD:

Headless authentication, like any login mechanism, can be started by any unauthenticated user. To prevent phishing attacks, we 
must prompt the user to acknowledge and approve each headless authentication request with WebAuthn, since WebAuthn 
provides strong protection against phishing attacks. Legacy OTP MFA methods will not be supported.

[codingllama]

We do support WebAuthn on Windows since @tobiaszheller's work on Windows/Passwordless, so I'd look at how the binaries are built and if WebAuthn.dll or user32.dll are missing (seems pretty unlikely to me).

Could you try tsh webauthnwin diag ?

Tobiasz may have better input here too.

[zmb3]

The output of tsh webauthnwin diag is pasted in the description.

@Joerger, yes, webauthn is required for headless login, but only from the machine approving the request, not from the machine running tsh login --headless.

[zmb3]

The webauthn.dll is definitely present.

[tobiaszheller]

@zmb3 @codingllama I am debugging it right now. It seems that WebAuthn.dll is preset on windows server but it's returning A device attached to the system is not functioning and cannot be called. I will post update when I know why it's returning that error.

[zmb3]

Thanks Tobiasz. It may not be supported in virtualized environments, which is fine (though we could probably raise a better error if this is the case).

My intent is actually to use headless here because I can't use webauthn over RDP anyway (yet).

[Joerger]

Sorry, I didn't catch the details of this issue the first time around. tsh --headless login is not a supported use case, you can only perform ls, ssh, or scp. Right now there is only a debug log, and it defaults back to local password/mfa login.

log.Debug("Headless login is disabled for this command. Only 'tsh ls', 'tsh ssh', and 'tsh scp' are supported. Defaulting to local authentication methods.")

I figured there would be some situations where a user would have $TELEPORT_HEADLESS=true set, but they'd want to do some other command that doesn't require MFA like normal. This is probably such an edge case that we can return the error instead. WDYT?

[zmb3]

Yes, I think the only action here is to surface the error that headless is not available for the login command.

[codingllama]

Fixed on master, backports are out, so closing.