search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.26k stars 1.73k forks source link

Add support for Hardware Key PIN to Teleport Connect #34415

Open Joerger opened 9 months ago

Joerger commented 9 months ago

Screenshot from 2023-11-09 11-19-27

Connect already implements an MFA prompt and a passwordless login prompt. The challenge here would be to refactor api/utils/keys/yubikey.go to not use api/utils/prompt directly, but rather accept some kind of an interface, where tsh would use api/utils/prompt and tsh daemon would speak with the Electron app somehow.

That's another thing to figure out. The passwordless login prompt already implements prompting for PIN and picking credentials. However, this is implemented through the Electron app making a bidirectional streaming RPC to tshd. First, a bidirectional stream might not be necessary, since the messages are always send in a specific order and are finite (this is the case for passwordless login too). Second, from a quick look it seems that for PIV it'd have to be done just like the MFA prompt, where the tshd initiates an RPC to the Electron app. That's because in the case of passwordless login, the user explicitly selects passwordless login as the login option. But PIV is used automatically within TeleportClient.SSHLogin based on a response from the auth server.

ravicious commented 7 months ago

@oshati just reported on Slack a customer running into a problem with hardware_key_touch where on login in Connect they run into "private key policy not met: hardware_key_touch". I was able to reproduce it with both hardware_key_touch and hardware_key.

The docs say that hardware keys are supported in Connect. However, if the process works the way it was described by Brian on Slack, I'm not sure if it ever worked in Connect:

When you set require_session_mfa on the role, there is no way to know the requirement before logging in the first time. So the user tries to login, gets the error, and then we use the error to determine the role requirement. Then, relogin is initiated to pass the requirement.

lib/teleterm doesn't handle that error in any way AFAIK.

On top of this, during login tsh daemon asks for multiple key taps, but Connect doesn't reflect that in the UI in any way. The login modal assumes that only one tap of the key is needed.

Related:

ravicious commented 7 months ago

I imagine the issue was originally opened in the context of hardware_key_touch_and_pin not being supported, since it requires an additional prompt for PIN. But I cannot seem to get the other two options to work in Connect too.

rust0k commented 7 months ago

one more error 3 INVALID_ARGUMENT: private key policy not met: hardware_key_touch. , but in policy require_session_mfa: hardware_key_touch. Teleport connect 14.1.5