Open inthenightsky opened 3 months ago
Can confirm I see this too on 15.4.0, against a 16.0.0 cluster.
Looks fine on master:
➜ tsh login --proxy=proxy.127.0.0.1.nip.io:3080 --user=zac --mfa-mode=otp
Enter password for Teleport user zac:
Enter an OTP code from a device:
tsh login --proxy=proxy.127.0.0.1.nip.io:3080 --user=zac --mfa-mode=otp
I didn't include the --mfa-mode flag in my replication steps.
Including the --mfa-mode=otp flag triggers the prompt as expected, but without it, despite it being required for the cluster, no prompt to enter the OTP code is presented.
On another note, I've updated my cluster & nodes to the latest version and this still occurs.
Does your user have other MFA devices? I had to use the flag because I also have a webauthn device and webauthn is preferred over OTP.
Yeah, I have both a hardware key & authenticator app registered.
I tried without the --mfa-mode
flag using a user that only has OTP:
❯ tsh login --proxy=proxy.127.0.0.1.nip.io:3080 --user=otp
Enter password for Teleport user otp:
Enter an OTP code from a device:
> Profile URL: https://proxy.127.0.0.1.nip.io:3080
Logged in as: otp
Cluster: zac-local
Roles: access
Logins: zmb, doesnotexist
Kubernetes: enabled
Kubernetes groups: system:masters
Valid until: 2024-06-17 03:57:24 -0600 MDT [valid for 12h0m0s]
Extensions: login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy
As well as with a user that has OTP and webuauthn:
➜ tsh login --proxy=proxy.127.0.0.1.nip.io:3080 --user=zac
Enter password for Teleport user zac:
Tap any security key or enter a code from a OTP device
Detected security key tap
> Profile URL: https://proxy.127.0.0.1.nip.io:3080
Logged in as: zac
Cluster: zac-local
Roles: access, auditor, editor, requester, role-request-approver
Logins: zmb, doesnotexist
Kubernetes: enabled
Kubernetes groups: system:masters
Valid until: 2024-06-17 03:58:52 -0600 MDT [valid for 12h0m0s]
Extensions: login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy
Logs from tsh -d
when I'm not prompted:
gus@hades:~$ tsh login --proxy=teleport.example.com --user=gus-local --auth=local -d
2024-06-16T21:59:03-03:00 DEBU [TSH] Web proxy port was not set. Attempting to detect port number to use. common/tsh.go:4224
2024-06-16T21:59:03-03:00 DEBU [TSH] Resolving default proxy port (insecure: false) common/resolve_default_addr.go:113
2024-06-16T21:59:03-03:00 DEBU [TSH] Trying teleport.example.com:3080... common/resolve_default_addr.go:101
2024-06-16T21:59:03-03:00 DEBU [TSH] Proxy address test failed error:[Get "https://teleport.example.com:3080/webapi/ping": dial tcp 3.132.213.182:3080: connect: connection refused] common/resolve_default_addr.go:65
2024-06-16T21:59:03-03:00 DEBU [TSH] Trying teleport.example.com:443... common/resolve_default_addr.go:101
2024-06-16T21:59:04-03:00 DEBU [TSH] Address teleport.example.com:443 succeeded. Selected as canonical proxy address common/resolve_default_addr.go:193
2024-06-16T21:59:04-03:00 DEBU [TSH] Waiting for all in-flight proxy address tests to finish common/resolve_default_addr.go:141
2024-06-16T21:59:04-03:00 INFO [CLIENT] no host login given. defaulting to gus client/api.go:1125
2024-06-16T21:59:04-03:00 WARN [CLIENT] [KEY AGENT] Unable to connect to SSH agent on socket "": dial unix: missing address client/api.go:4838
2024-06-16T21:59:04-03:00 DEBU [TSH] Pinging the proxy to fetch listening addresses for non-web ports. common/tsh.go:3670
2024-06-16T21:59:04-03:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4797
2024-06-16T21:59:04-03:00 DEBU Attempting GET teleport.example.com:443/webapi/ping/local webclient/webclient.go:129
2024-06-16T21:59:04-03:00 DEBU ALPN connection upgrade required for "teleport.example.com:443": false. client/alpn_conn_upgrade.go:95
2024-06-16T21:59:04-03:00 DEBU [CLIENT] Attempting to login with a new RSA private key. client/api.go:4104
Enter password for Teleport user gus-local:
2024-06-16T21:59:24-03:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4797
2024-06-16T21:59:24-03:00 DEBU [CLIENT] HTTPS client init(proxyAddr=teleport.example.com:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-06-16T21:59:24-03:00 DEBU Attempting platform login webauthncli/api.go:168
2024-06-16T21:59:24-03:00 DEBU Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:174
2024-06-16T21:59:24-03:00 DEBU FIDO2: Using libfido2 for assertion webauthncli/api.go:184
2024-06-16T21:59:24-03:00 DEBU FIDO2: assertion: passwordless=false, uv=false, 3 allowed credentials webauthncli/fido2.go:170
<press enter>
ERROR REPORT:
Original Error: *trace.AccessDeniedError missing second factor
Stack Trace:
Caught:
github.com/gravitational/teleport/lib/httplib/httplib.go:216 github.com/gravitational/teleport/lib/httplib.ConvertResponse
github.com/gravitational/teleport/lib/client/https_client.go:124 github.com/gravitational/teleport/lib/client.(*WebClient).PostJSON
github.com/gravitational/teleport/lib/client/weblogin.go:679 github.com/gravitational/teleport/lib/client.SSHAgentMFALogin
github.com/gravitational/teleport/lib/client/api.go:4244 github.com/gravitational/teleport/lib/client.(*TeleportClient).mfaLocalLogin
github.com/gravitational/teleport/lib/client/api.go:4173 github.com/gravitational/teleport/lib/client.(*TeleportClient).localLogin
github.com/gravitational/teleport/lib/client/api.go:3801 github.com/gravitational/teleport/lib/client.(*TeleportClient).getSSHLoginFunc.func2
github.com/gravitational/teleport/lib/client/api.go:4002 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin.func1
github.com/gravitational/teleport/lib/client/api.go:4049 github.com/gravitational/teleport/lib/client.(*TeleportClient).loginWithHardwareKeyRetry
github.com/gravitational/teleport/lib/client/api.go:4000 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin
github.com/gravitational/teleport/lib/client/api.go:3581 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
github.com/gravitational/teleport/tool/tsh/common/tsh.go:1933 github.com/gravitational/teleport/tool/tsh/common.onLogin
github.com/gravitational/teleport/tool/tsh/common/tsh.go:1408 github.com/gravitational/teleport/tool/tsh/common.Run
github.com/gravitational/teleport/tool/tsh/common/tsh.go:596 github.com/gravitational/teleport/tool/tsh/common.Main
github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
runtime/proc.go:267 runtime.main
runtime/asm_amd64.s:1650 runtime.goexit
User Message: missing second factor
This user has 1 OTP and 3 WebAuthn devices registered.
One other thing I forgot to mention - I'm running tsh
15.4.0 on Linux. When I run tsh
15.4.0 against the same cluster on MacOS, I get prompted correctly. @inthenightsky Can you confirm what OS you're using?
MacOS logs here from tsh
15.4.0 against the same cluster, for posterity:
gus@apollo:~ % tsh -d login --proxy=teleport.example.com --auth=local --user=gus-local
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE] Reading certificates from path "/Users/gus/.tsh/keys/teleport.webvict.im/webvictim-ssh/teleport.webvict.im-cert.pub". client/keystore.go:357
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE] Reading certificates from path "/Users/gus/.tsh/keys/teleport.webvict.im/webvictim-kube/teleport.webvict.im". client/keystore.go:357
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 19:06:02 +0000 UTC". client/client_store.go:111
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE] Reading certificates from path "/Users/gus/.tsh/keys/teleport.example.com/gus@goteleport.com-ssh/purple-cert.pub". client/keystore.go:357
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-14 01:31:05 +0000 UTC". client/client_store.go:111
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE] Reading certificates from path "/Users/gus/.tsh/keys/solutionengs.teleport.sh/gus@goteleport.com-ssh/solutionengs.teleport.sh-cert.pub". client/keystore.go:357
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE] Reading certificates from path "/Users/gus/.tsh/keys/solutionengs.teleport.sh/gus@goteleport.com-kube/solutionengs.teleport.sh". client/keystore.go:357
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-15 02:04:17 +0000 UTC". client/client_store.go:111
2024-06-17T10:18:34-03:00 INFO [CLIENT] ALPN connection upgrade required for "teleport.example.com:443": false. client/api.go:787
2024-06-17T10:18:34-03:00 INFO [CLIENT] no host login given. defaulting to gus client/api.go:1125
2024-06-17T10:18:34-03:00 INFO [CLIENT] [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.uO4paqIfwd/Listeners" client/api.go:4842
2024-06-17T10:18:34-03:00 INFO [TSH] Could not load key for into the local agent. error:[
ERROR REPORT:
Original Error: *trace.NotFoundError no credentials
Stack Trace:
github.com/gravitational/teleport/lib/client/client_store.go:88 github.com/gravitational/teleport/lib/client.init
runtime/proc.go:6735 runtime.doInit1
runtime/proc.go:6702 runtime.doInit
runtime/proc.go:249 runtime.main
runtime/asm_arm64.s:1197 runtime.goexit
User Message: open /Users/gus/.tsh/keys/teleport.example.com/gus-local-x509.pem: no such file or directory
no credentials] common/tsh.go:3663
2024-06-17T10:18:34-03:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4797
2024-06-17T10:18:34-03:00 DEBU Attempting GET teleport.example.com:443/webapi/ping/local webclient/webclient.go:129
2024-06-17T10:18:34-03:00 DEBU ALPN connection upgrade required for "teleport.example.com:443": false. client/alpn_conn_upgrade.go:95
2024-06-17T10:18:34-03:00 DEBU [CLIENT] Attempting to login with a new RSA private key. client/api.go:4104
Enter password for Teleport user gus-local:
2024-06-17T10:18:35-03:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4797
2024-06-17T10:18:35-03:00 DEBU [CLIENT] HTTPS client init(proxyAddr=teleport.example.com:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-06-17T10:18:35-03:00 DEBU Attempting platform login webauthncli/api.go:168
2024-06-17T10:18:35-03:00 DEBU Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:174
2024-06-17T10:18:35-03:00 DEBU FIDO2: Using libfido2 for assertion webauthncli/api.go:184
2024-06-17T10:18:35-03:00 DEBU FIDO2: assertion: passwordless=false, uv=false, 3 allowed credentials webauthncli/fido2.go:170
Tap any security key or enter a code from a OTP device
2024-06-17T10:18:35-03:00 DEBU FIDO2: Device ioreg://4294972030: info &libfido2.DeviceInfo{Versions:[]string{"U2F_V2", "FIDO_2_0", "FIDO_2_1_PRE"}, Extensions:[]string{"credProtect", "hmac-secret"}, AAGUID:[]uint8{0xee, 0x88, 0x28, 0x79, 0x72, 0x1c, 0x49, 0x13, 0x97, 0x75, 0x3d, 0xfc, 0xce, 0x97, 0x7, 0x2a}, Options:[]libfido2.Option{libfido2.Option{Name:"rk", Value:"true"}, libfido2.Option{Name:"up", Value:"true"}, libfido2.Option{Name:"plat", Value:"false"}, libfido2.Option{Name:"clientPin", Value:"false"}, libfido2.Option{Name:"credentialMgmtPreview", Value:"true"}}, Protocols:[]uint8{0x1}} webauthncli/fido2.go:805
2024-06-17T10:18:40-03:00 DEBU Captured signal interrupt, attempting to restore terminal state prompt/context_reader.go:202
2024-06-17T10:18:40-03:00 DEBU FIDO2: Cancel device ioreg://4294972030, err=<nil> webauthncli/fido2.go:771
2024-06-17T10:18:40-03:00 DEBU FIDO2: Device ioreg://4294972030: callback returned, requiresPIN=false, err=failed to get assertion: keep alive cancel webauthncli/fido2.go:828
2024-06-17T10:18:40-03:00 DEBU FIDO2: Close device ioreg://4294972030, err=<nil> webauthncli/fido2.go:787
2024-06-17T10:18:40-03:00 DEBU FIDO2: Device goroutines exited cleanly webauthncli/fido2.go:633
ERROR REPORT:
Original Error: trace.aggregate TOTP authentication failed
failed reading prompt response
context canceled, Webauthn authentication failed
context canceled
Stack Trace:
github.com/gravitational/teleport/lib/client/mfa/prompt.go:164 github.com/gravitational/teleport/lib/client/mfa.HandleMFAPromptGoroutines
github.com/gravitational/teleport/lib/client/mfa/cli.go:110 github.com/gravitational/teleport/lib/client/mfa.(*CLIPrompt).Run
github.com/gravitational/teleport/lib/client/weblogin.go:654 github.com/gravitational/teleport/lib/client.SSHAgentMFALogin
github.com/gravitational/teleport/lib/client/api.go:4244 github.com/gravitational/teleport/lib/client.(*TeleportClient).mfaLocalLogin
github.com/gravitational/teleport/lib/client/api.go:4173 github.com/gravitational/teleport/lib/client.(*TeleportClient).localLogin
github.com/gravitational/teleport/lib/client/api.go:3801 github.com/gravitational/teleport/lib/client.(*TeleportClient).getSSHLoginFunc.func2
github.com/gravitational/teleport/lib/client/api.go:4002 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin.func1
github.com/gravitational/teleport/lib/client/api.go:4049 github.com/gravitational/teleport/lib/client.(*TeleportClient).loginWithHardwareKeyRetry
github.com/gravitational/teleport/lib/client/api.go:4000 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin
github.com/gravitational/teleport/lib/client/api.go:3581 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
github.com/gravitational/teleport/tool/tsh/common/tsh.go:1933 github.com/gravitational/teleport/tool/tsh/common.onLogin
github.com/gravitational/teleport/tool/tsh/common/tsh.go:1408 github.com/gravitational/teleport/tool/tsh/common.Run
github.com/gravitational/teleport/tool/tsh/common/tsh.go:596 github.com/gravitational/teleport/tool/tsh/common.Main
github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
runtime/proc.go:267 runtime.main
runtime/asm_arm64.s:1197 runtime.goexit
User Message: failed to authenticate using available MFA devices
TOTP authentication failed
failed reading prompt response
context canceled, Webauthn authentication failed
context canceled
That's very odd!
I'm on MacOS Sonoma 14.5 primarily, however I can replicate this on both Ubuntu 24.04 LTS & Ubuntu 22.04.4 LTS.
The below log was taken from Ubuntu 22.04.4 LTS.
root@server:~# tsh version
Teleport v16.0.0 git:v16.0.0-0-gbb8b73a2 go1.22.4
Proxy version: 16.0.0
Proxy: teleport.snipped.tld:443
root@server:~# tsh login --proxy=teleport.snipped.tld --user=user -d
2024-06-17T15:09:59Z DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/teleport.snipped.tld/user-ssh/teleport.snipped.tld-cert.pub". client/keystore.go:357
2024-06-17T15:09:59Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 03:11:27 +0000 UTC". client/client_store.go:111
2024-06-17T15:09:59Z INFO [CLIENT] ALPN connection upgrade required for "teleport.snipped.tld:443": false. client/api.go:817
2024-06-17T15:09:59Z INFO [CLIENT] no host login given. defaulting to root client/api.go:1159
2024-06-17T15:09:59Z INFO [CLIENT] [KEY AGENT] Connected to the system agent: "/tmp/teleport-3307219702/teleport-1594.socket" client/api.go:4496
2024-06-17T15:09:59Z DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/teleport.snipped.tld/user-ssh/teleport.snipped.tld-cert.pub". client/keystore.go:357
2024-06-17T15:09:59Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 03:11:27 +0000 UTC". client/client_store.go:111
2024-06-17T15:09:59Z INFO [KEYAGENT] Loading SSH key for user "user" and cluster "teleport.snipped.tld". client/keyagent.go:198
2024-06-17T15:09:59Z DEBU [CLIENT] not using loopback pool for remote proxy addr: teleport.snipped.tld:443 client/api.go:4451
2024-06-17T15:09:59Z DEBU Attempting request to Proxy web api method:GET host:teleport.snipped.tld:443 path:/webapi/ping trace_id:8ef035b70ef00dab01113ddf0b7832d6 span_id:d2d93ce25d794985 webclient/webclient.go:131
2024-06-17T15:09:59Z DEBU ALPN connection upgrade test complete address:teleport.snipped.tld:443 upgrade_required:false trace_id:8ef035b70ef00dab01113ddf0b7832d6 span_id:d2d93ce25d794985 client/alpn_conn_upgrade.go:96
2024-06-17T15:09:59Z DEBU [CLIENT] Attempting to login with a new RSA private key. client/api.go:3757
Enter password for Teleport user user:
2024-06-17T15:10:08Z DEBU [CLIENT] not using loopback pool for remote proxy addr: teleport.snipped.tld:443 client/api.go:4451
2024-06-17T15:10:08Z DEBU [CLIENT] HTTPS client init(proxyAddr=teleport.snipped.tld:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-06-17T15:10:08Z DEBU Attempting platform login webauthncli/api.go:168
2024-06-17T15:10:08Z DEBU Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:174
2024-06-17T15:10:08Z DEBU FIDO2: Using libfido2 for assertion webauthncli/api.go:184
2024-06-17T15:10:08Z DEBU FIDO2: assertion: passwordless=false, uv=false, 1 allowed credentials webauthncli/fido2.go:170
**OTP ENTERED - this line was manually entered, and not printed by debug.**
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 03:11:27 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYAGENT] Deleting obsolete stored key with index {ProxyHost:teleport.snipped.tld Username:user ClusterName:teleport.snipped.tld}. client/keyagent.go:555
2024-06-17T15:10:20Z DEBU [KEYSTORE] Adding known host teleport.snipped.tld with proxy teleport.snipped.tld client/trusted_certs_store.go:395
2024-06-17T15:10:20Z INFO [KEYAGENT] Loading SSH key for user "user" and cluster "teleport.snipped.tld". client/keyagent.go:198
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE] Adding known host teleport.snipped.tld with proxy teleport.snipped.tld client/trusted_certs_store.go:395
2024-06-17T15:10:20Z DEBU [CLIENT] Device Trust: skipping device authentication, device trust disabled client/api.go:3307
2024-06-17T15:10:20Z DEBU [KEYSTORE] Reading certificates from path "/root/.tsh/keys/teleport.snipped/user-ssh/teleport.snipped.tld-cert.pub". client/keystore.go:357
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
> Profile URL: https://teleport.snipped.tld:443
Logged in as: user
Cluster: teleport.snipped.tld
Roles: access, administrator, editor
Traits: kubernetes_groups: []
azure_identities: []
db_names: []
db_roles: []
db_users: []
gcp_service_accounts: []
host_user_gid: []
host_user_uid: []
kubernetes_users: []
aws_role_arns: [arn:aws:iam::111111111111:role/teleport.role.admin arn:aws:iam::111111111111:role/teleport.role.readonly]
windows_logins: []
logins: [root]
Logins: snipped
Kubernetes: enabled
Kubernetes users: dev
Kubernetes groups: developer
Valid until: 2024-06-17 23:10:20 +0000 UTC [valid for 8h0m0s]
Extensions: login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy
Hopefully that helps?
observing the same on my SaaS cluster with v15.4.7 tsh and 15.4.9 proxy on MacOS
paulschisa:~$ tsh login --proxy=schisa.teleport.sh --auth=local --user=paul.schisa@gmail.com -d
2024-07-24T09:54:57-04:00 DEBU [TSH] Web proxy port was not set. Attempting to detect port number to use. common/tsh.go:4246
2024-07-24T09:54:57-04:00 DEBU [TSH] Resolving default proxy port (insecure: false) common/resolve_default_addr.go:113
2024-07-24T09:54:57-04:00 DEBU [TSH] Trying schisa.teleport.sh:3080... common/resolve_default_addr.go:101
2024-07-24T09:54:57-04:00 DEBU [TSH] Trying schisa.teleport.sh:443... common/resolve_default_addr.go:101
2024-07-24T09:54:58-04:00 DEBU [TSH] Address schisa.teleport.sh:443 succeeded. Selected as canonical proxy address common/resolve_default_addr.go:193
2024-07-24T09:54:58-04:00 DEBU [TSH] Waiting for all in-flight proxy address tests to finish common/resolve_default_addr.go:141
2024-07-24T09:54:58-04:00 DEBU [TSH] Proxy address test failed error:[Get "https://schisa.teleport.sh:3080/webapi/ping": context canceled] common/resolve_default_addr.go:65
2024-07-24T09:54:58-04:00 INFO [CLIENT] [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.4LkjtU9vI4/Listeners" client/api.go:4850
2024-07-24T09:54:58-04:00 DEBU [TSH] Pinging the proxy to fetch listening addresses for non-web ports. common/tsh.go:3691
2024-07-24T09:54:58-04:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: schisa.teleport.sh:443 client/api.go:4805
2024-07-24T09:54:58-04:00 DEBU Attempting GET schisa.teleport.sh:443/webapi/ping/local webclient/webclient.go:130
2024-07-24T09:54:58-04:00 DEBU ALPN connection upgrade required for "schisa.teleport.sh:443": false. client/alpn_conn_upgrade.go:95
2024-07-24T09:54:58-04:00 DEBU [CLIENT] Attempting to login with a new RSA private key. client/api.go:4112
Enter password for Teleport user paul.schisa@gmail.com:
2024-07-24T09:55:03-04:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: schisa.teleport.sh:443 client/api.go:4805
2024-07-24T09:55:03-04:00 DEBU [CLIENT] HTTPS client init(proxyAddr=schisa.teleport.sh:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-07-24T09:55:04-04:00 DEBU Attempting platform login webauthncli/api.go:168
2024-07-24T09:55:04-04:00 DEBU Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:174
2024-07-24T09:55:04-04:00 DEBU FIDO2: Using libfido2 for assertion webauthncli/api.go:183
2024-07-24T09:55:04-04:00 DEBU FIDO2: assertion: passwordless=false, uv=false, 1 allowed credentials webauthncli/fido2.go:167
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Adding known host schisa.teleport.sh with proxy schisa.teleport.sh client/trusted_certs_store.go:395
2024-07-24T09:55:08-04:00 INFO [KEYAGENT] Loading SSH key for user "paul.schisa@gmail.com" and cluster "schisa.teleport.sh". client/keyagent.go:198
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Adding known host schisa.teleport.sh with proxy schisa.teleport.sh client/trusted_certs_store.go:395
2024-07-24T09:55:08-04:00 DEBU [CLIENT] Device Trust: Skipping device authentication, device key not found client/api.go:3676
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Reading certificates from path "/Users/paulschisa/.tsh/keys/schisa.teleport.sh/paul.schisa@gmail.com-ssh/schisa.teleport.sh-cert.pub". client/keystore.go:357
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE] Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
> Profile URL: https://schisa.teleport.sh:443
Logged in as: paul.schisa@gmail.com
Cluster: schisa.teleport.sh
Roles: test-dacadoo-requester
Kubernetes: enabled
Valid until: 2024-07-24 17:55:08 -0400 EDT [valid for 8h0m0s]
Extensions: login-ip, permit-port-forwarding, permit-pty, private-key-policy
paulschisa:~$ tsh version
Teleport v15.4.7 git:v15.4.7-0-g2611484 go1.22.5
Proxy version: 15.4.9
Proxy: schisa.teleport.sh:443
This seems okay now in more recent versions. You'll default to a hardware key if specified, however similar behaviour can be observed if you try to proxy an app.
Unsure if this deserves to be it's own issue or not but will leave it up for discussion.
Before starting, ensure your role is configured to mandate per-session MFA.
1) Login to Teleport as normal (tsh login --user username --mfa-mode=otp) 2) Initiate an app proxy (tsh proxy app app-name --mfa-mode=otp)
Notice that once a valid OTP is given, the connection to the desired proxied app is successful. This can be observed in closer depth by adding the --debug flag, showing certificates getting issued subsequently, despite no prompt showing the authentication was successful.
I just got into the same issue
Cluster running master and signed tsh
running 16.4.2 on MacOS (15.0).
I have two MFAs configured: Authenticator App and Hardware Key.
When I login using tsh login --proxy=$PROXY --user=$USER
I get asked for the password but no feedback after I press enter. I had to put the TOTP from the Authenticator App for the login to succeed.
This is really confusing.
After building tsh
from master
(see commit above), it is now asking for the OTP.
So, this was probably fixed already 🤔
Expected behavior:
Current behavior:
Bug details:
I've noticed when logging into my cluster (Teleport version: 15.4.0), it doesn't prompt for 2FA when it is required.
You will enter your password as normal, however the terminal will stay the same until you either provide a 2FA code, enter an invalid 2FA code or press enter (causing the login to fail). Entering the 2FA code despite not being prompted will log the user in as expected.
It's just that the terminal isn't prompting that there's another step that needs to take place.
Recreation steps:
tsh login --proxy=yourcluster.teleport.sh --user demo
(this assumes the user demo has 2FA enforced & enrolled)