search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.63k stars 1.76k forks source link

TouchID not accepted for MFA Admin actions in CLI #38316

Closed stevenGravy closed 2 months ago

stevenGravy commented 9 months ago

Expected behavior:

MFA confirmation is uniform in Web UI and CLI for admin actions.

Current behavior:

TouchID is accepted in Web UI for confirming admin actions.

In CLI without a YubiKey being plugged in the user will get this error. No YubiKey is required to be plugged in for WebUI.

This is an admin-level action and requires MFA to complete
ERROR: failed to authenticate using available MFA devices
    Webauthn authentication failed
    no security keys found

Bug details:

  1. Register a user with administrative access such as editor role
  2. Register a touchid in CLI and Web UI as a MFA
  3. Attempt to do a admin action such as tctl users add --roles=access test
zmb3 commented 9 months ago

This is expected at this point. We'd need to ship a signed and notarized version of tctl, which is something we only do for tsh right now.