tsh failing to prompt user to provide 2FA

inthenightsky commented 3 months ago

Expected behavior:

When logging in to a cluster requiring 2FA via tctl, tsh or etc, the user should be prompted to enter their 2FA.

Current behavior:

The user isn't prompted to provide a 2FA code.

Bug details:

I've noticed when logging into my cluster (Teleport version: 15.4.0), it doesn't prompt for 2FA when it is required.

exampleuser@mbp ~ % tsh login --proxy=example.acme.org --user inthenightsky
Enter password for Teleport user inthenightsky:

You will enter your password as normal, however the terminal will stay the same until you either provide a 2FA code, enter an invalid 2FA code or press enter (causing the login to fail). Entering the 2FA code despite not being prompted will log the user in as expected.

It's just that the terminal isn't prompting that there's another step that needs to take place.

Recreation steps:

Attempt to login using tsh login --proxy=yourcluster.teleport.sh --user demo (this assumes the user demo has 2FA enforced & enrolled)
Enter your password as prompted.
Observe that no additional prompt is made to request a 2FA code from the user.

webvictim commented 3 months ago

Can confirm I see this too on 15.4.0, against a 16.0.0 cluster.

zmb3 commented 3 months ago

Looks fine on master:

➜ tsh login --proxy=proxy.127.0.0.1.nip.io:3080 --user=zac --mfa-mode=otp
Enter password for Teleport user zac:
Enter an OTP code from a device:

inthenightsky commented 3 months ago

tsh login --proxy=proxy.127.0.0.1.nip.io:3080 --user=zac --mfa-mode=otp

I didn't include the --mfa-mode flag in my replication steps.

Including the --mfa-mode=otp flag triggers the prompt as expected, but without it, despite it being required for the cluster, no prompt to enter the OTP code is presented.

On another note, I've updated my cluster & nodes to the latest version and this still occurs.

zmb3 commented 3 months ago

Does your user have other MFA devices? I had to use the flag because I also have a webauthn device and webauthn is preferred over OTP.

inthenightsky commented 3 months ago

Yeah, I have both a hardware key & authenticator app registered.

zmb3 commented 3 months ago

I tried without the --mfa-mode flag using a user that only has OTP:

❯ tsh login --proxy=proxy.127.0.0.1.nip.io:3080 --user=otp
Enter password for Teleport user otp:
Enter an OTP code from a device:
> Profile URL:        https://proxy.127.0.0.1.nip.io:3080
  Logged in as:       otp
  Cluster:            zac-local
  Roles:              access
  Logins:             zmb, doesnotexist
  Kubernetes:         enabled
  Kubernetes groups:  system:masters
  Valid until:        2024-06-17 03:57:24 -0600 MDT [valid for 12h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

As well as with a user that has OTP and webuauthn:

➜ tsh login --proxy=proxy.127.0.0.1.nip.io:3080 --user=zac
Enter password for Teleport user zac:
Tap any security key or enter a code from a OTP device
Detected security key tap
> Profile URL:        https://proxy.127.0.0.1.nip.io:3080
  Logged in as:       zac
  Cluster:            zac-local
  Roles:              access, auditor, editor, requester, role-request-approver
  Logins:             zmb, doesnotexist
  Kubernetes:         enabled
  Kubernetes groups:  system:masters
  Valid until:        2024-06-17 03:58:52 -0600 MDT [valid for 12h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

webvictim commented 3 months ago

Logs from tsh -d when I'm not prompted:

gus@hades:~$ tsh login --proxy=teleport.example.com --user=gus-local --auth=local -d
2024-06-16T21:59:03-03:00 DEBU [TSH]       Web proxy port was not set. Attempting to detect port number to use. common/tsh.go:4224
2024-06-16T21:59:03-03:00 DEBU [TSH]       Resolving default proxy port (insecure: false) common/resolve_default_addr.go:113
2024-06-16T21:59:03-03:00 DEBU [TSH]       Trying teleport.example.com:3080... common/resolve_default_addr.go:101
2024-06-16T21:59:03-03:00 DEBU [TSH]       Proxy address test failed error:[Get "https://teleport.example.com:3080/webapi/ping": dial tcp 3.132.213.182:3080: connect: connection refused] common/resolve_default_addr.go:65
2024-06-16T21:59:03-03:00 DEBU [TSH]       Trying teleport.example.com:443... common/resolve_default_addr.go:101
2024-06-16T21:59:04-03:00 DEBU [TSH]       Address teleport.example.com:443 succeeded. Selected as canonical proxy address common/resolve_default_addr.go:193
2024-06-16T21:59:04-03:00 DEBU [TSH]       Waiting for all in-flight proxy address tests to finish common/resolve_default_addr.go:141
2024-06-16T21:59:04-03:00 INFO [CLIENT]    no host login given. defaulting to gus client/api.go:1125
2024-06-16T21:59:04-03:00 WARN [CLIENT]    [KEY AGENT] Unable to connect to SSH agent on socket "": dial unix: missing address client/api.go:4838
2024-06-16T21:59:04-03:00 DEBU [TSH]       Pinging the proxy to fetch listening addresses for non-web ports. common/tsh.go:3670
2024-06-16T21:59:04-03:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4797
2024-06-16T21:59:04-03:00 DEBU             Attempting GET teleport.example.com:443/webapi/ping/local webclient/webclient.go:129
2024-06-16T21:59:04-03:00 DEBU             ALPN connection upgrade required for "teleport.example.com:443": false. client/alpn_conn_upgrade.go:95
2024-06-16T21:59:04-03:00 DEBU [CLIENT]    Attempting to login with a new RSA private key. client/api.go:4104
Enter password for Teleport user gus-local:
2024-06-16T21:59:24-03:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4797
2024-06-16T21:59:24-03:00 DEBU [CLIENT]    HTTPS client init(proxyAddr=teleport.example.com:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-06-16T21:59:24-03:00 DEBU             Attempting platform login webauthncli/api.go:168
2024-06-16T21:59:24-03:00 DEBU             Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:174
2024-06-16T21:59:24-03:00 DEBU             FIDO2: Using libfido2 for assertion webauthncli/api.go:184
2024-06-16T21:59:24-03:00 DEBU             FIDO2: assertion: passwordless=false, uv=false, 3 allowed credentials webauthncli/fido2.go:170

<press enter>

ERROR REPORT:
Original Error: *trace.AccessDeniedError missing second factor
Stack Trace:

Caught:
        github.com/gravitational/teleport/lib/httplib/httplib.go:216 github.com/gravitational/teleport/lib/httplib.ConvertResponse
        github.com/gravitational/teleport/lib/client/https_client.go:124 github.com/gravitational/teleport/lib/client.(*WebClient).PostJSON
        github.com/gravitational/teleport/lib/client/weblogin.go:679 github.com/gravitational/teleport/lib/client.SSHAgentMFALogin
        github.com/gravitational/teleport/lib/client/api.go:4244 github.com/gravitational/teleport/lib/client.(*TeleportClient).mfaLocalLogin
        github.com/gravitational/teleport/lib/client/api.go:4173 github.com/gravitational/teleport/lib/client.(*TeleportClient).localLogin
        github.com/gravitational/teleport/lib/client/api.go:3801 github.com/gravitational/teleport/lib/client.(*TeleportClient).getSSHLoginFunc.func2
        github.com/gravitational/teleport/lib/client/api.go:4002 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin.func1
        github.com/gravitational/teleport/lib/client/api.go:4049 github.com/gravitational/teleport/lib/client.(*TeleportClient).loginWithHardwareKeyRetry
        github.com/gravitational/teleport/lib/client/api.go:4000 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin
        github.com/gravitational/teleport/lib/client/api.go:3581 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
        github.com/gravitational/teleport/tool/tsh/common/tsh.go:1933 github.com/gravitational/teleport/tool/tsh/common.onLogin
        github.com/gravitational/teleport/tool/tsh/common/tsh.go:1408 github.com/gravitational/teleport/tool/tsh/common.Run
        github.com/gravitational/teleport/tool/tsh/common/tsh.go:596 github.com/gravitational/teleport/tool/tsh/common.Main
        github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
        runtime/proc.go:267 runtime.main
        runtime/asm_amd64.s:1650 runtime.goexit
User Message: missing second factor

This user has 1 OTP and 3 WebAuthn devices registered.

webvictim commented 3 months ago

One other thing I forgot to mention - I'm running tsh 15.4.0 on Linux. When I run tsh 15.4.0 against the same cluster on MacOS, I get prompted correctly. @inthenightsky Can you confirm what OS you're using?

webvictim commented 3 months ago

MacOS logs here from tsh 15.4.0 against the same cluster, for posterity:

gus@apollo:~ % tsh -d login --proxy=teleport.example.com --auth=local --user=gus-local
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE]  Reading certificates from path "/Users/gus/.tsh/keys/teleport.webvict.im/webvictim-ssh/teleport.webvict.im-cert.pub". client/keystore.go:357
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE]  Reading certificates from path "/Users/gus/.tsh/keys/teleport.webvict.im/webvictim-kube/teleport.webvict.im". client/keystore.go:357
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 19:06:02 +0000 UTC". client/client_store.go:111
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE]  Reading certificates from path "/Users/gus/.tsh/keys/teleport.example.com/gus@goteleport.com-ssh/purple-cert.pub". client/keystore.go:357
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-14 01:31:05 +0000 UTC". client/client_store.go:111
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE]  Reading certificates from path "/Users/gus/.tsh/keys/solutionengs.teleport.sh/gus@goteleport.com-ssh/solutionengs.teleport.sh-cert.pub". client/keystore.go:357
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE]  Reading certificates from path "/Users/gus/.tsh/keys/solutionengs.teleport.sh/gus@goteleport.com-kube/solutionengs.teleport.sh". client/keystore.go:357
2024-06-17T10:18:34-03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-15 02:04:17 +0000 UTC". client/client_store.go:111
2024-06-17T10:18:34-03:00 INFO [CLIENT]    ALPN connection upgrade required for "teleport.example.com:443": false. client/api.go:787
2024-06-17T10:18:34-03:00 INFO [CLIENT]    no host login given. defaulting to gus client/api.go:1125
2024-06-17T10:18:34-03:00 INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.uO4paqIfwd/Listeners" client/api.go:4842
2024-06-17T10:18:34-03:00 INFO [TSH]       Could not load key for  into the local agent. error:[
ERROR REPORT:
Original Error: *trace.NotFoundError no credentials
Stack Trace:
    github.com/gravitational/teleport/lib/client/client_store.go:88 github.com/gravitational/teleport/lib/client.init
    runtime/proc.go:6735 runtime.doInit1
    runtime/proc.go:6702 runtime.doInit
    runtime/proc.go:249 runtime.main
    runtime/asm_arm64.s:1197 runtime.goexit
User Message: open /Users/gus/.tsh/keys/teleport.example.com/gus-local-x509.pem: no such file or directory
    no credentials] common/tsh.go:3663
2024-06-17T10:18:34-03:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4797
2024-06-17T10:18:34-03:00 DEBU             Attempting GET teleport.example.com:443/webapi/ping/local webclient/webclient.go:129
2024-06-17T10:18:34-03:00 DEBU             ALPN connection upgrade required for "teleport.example.com:443": false. client/alpn_conn_upgrade.go:95
2024-06-17T10:18:34-03:00 DEBU [CLIENT]    Attempting to login with a new RSA private key. client/api.go:4104
Enter password for Teleport user gus-local:
2024-06-17T10:18:35-03:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4797
2024-06-17T10:18:35-03:00 DEBU [CLIENT]    HTTPS client init(proxyAddr=teleport.example.com:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-06-17T10:18:35-03:00 DEBU             Attempting platform login webauthncli/api.go:168
2024-06-17T10:18:35-03:00 DEBU             Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:174
2024-06-17T10:18:35-03:00 DEBU             FIDO2: Using libfido2 for assertion webauthncli/api.go:184
2024-06-17T10:18:35-03:00 DEBU             FIDO2: assertion: passwordless=false, uv=false, 3 allowed credentials webauthncli/fido2.go:170
Tap any security key or enter a code from a OTP device
2024-06-17T10:18:35-03:00 DEBU             FIDO2: Device ioreg://4294972030: info &libfido2.DeviceInfo{Versions:[]string{"U2F_V2", "FIDO_2_0", "FIDO_2_1_PRE"}, Extensions:[]string{"credProtect", "hmac-secret"}, AAGUID:[]uint8{0xee, 0x88, 0x28, 0x79, 0x72, 0x1c, 0x49, 0x13, 0x97, 0x75, 0x3d, 0xfc, 0xce, 0x97, 0x7, 0x2a}, Options:[]libfido2.Option{libfido2.Option{Name:"rk", Value:"true"}, libfido2.Option{Name:"up", Value:"true"}, libfido2.Option{Name:"plat", Value:"false"}, libfido2.Option{Name:"clientPin", Value:"false"}, libfido2.Option{Name:"credentialMgmtPreview", Value:"true"}}, Protocols:[]uint8{0x1}} webauthncli/fido2.go:805
2024-06-17T10:18:40-03:00 DEBU             Captured signal interrupt, attempting to restore terminal state prompt/context_reader.go:202
2024-06-17T10:18:40-03:00 DEBU             FIDO2: Cancel device ioreg://4294972030, err=<nil> webauthncli/fido2.go:771
2024-06-17T10:18:40-03:00 DEBU             FIDO2: Device ioreg://4294972030: callback returned, requiresPIN=false, err=failed to get assertion: keep alive cancel webauthncli/fido2.go:828
2024-06-17T10:18:40-03:00 DEBU             FIDO2: Close device ioreg://4294972030, err=<nil> webauthncli/fido2.go:787
2024-06-17T10:18:40-03:00 DEBU             FIDO2: Device goroutines exited cleanly webauthncli/fido2.go:633

ERROR REPORT:
Original Error: trace.aggregate TOTP authentication failed
    failed reading prompt response
        context canceled, Webauthn authentication failed
    context canceled
Stack Trace:
    github.com/gravitational/teleport/lib/client/mfa/prompt.go:164 github.com/gravitational/teleport/lib/client/mfa.HandleMFAPromptGoroutines
    github.com/gravitational/teleport/lib/client/mfa/cli.go:110 github.com/gravitational/teleport/lib/client/mfa.(*CLIPrompt).Run
    github.com/gravitational/teleport/lib/client/weblogin.go:654 github.com/gravitational/teleport/lib/client.SSHAgentMFALogin
    github.com/gravitational/teleport/lib/client/api.go:4244 github.com/gravitational/teleport/lib/client.(*TeleportClient).mfaLocalLogin
    github.com/gravitational/teleport/lib/client/api.go:4173 github.com/gravitational/teleport/lib/client.(*TeleportClient).localLogin
    github.com/gravitational/teleport/lib/client/api.go:3801 github.com/gravitational/teleport/lib/client.(*TeleportClient).getSSHLoginFunc.func2
    github.com/gravitational/teleport/lib/client/api.go:4002 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin.func1
    github.com/gravitational/teleport/lib/client/api.go:4049 github.com/gravitational/teleport/lib/client.(*TeleportClient).loginWithHardwareKeyRetry
    github.com/gravitational/teleport/lib/client/api.go:4000 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin
    github.com/gravitational/teleport/lib/client/api.go:3581 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:1933 github.com/gravitational/teleport/tool/tsh/common.onLogin
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:1408 github.com/gravitational/teleport/tool/tsh/common.Run
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:596 github.com/gravitational/teleport/tool/tsh/common.Main
    github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
    runtime/proc.go:267 runtime.main
    runtime/asm_arm64.s:1197 runtime.goexit
User Message: failed to authenticate using available MFA devices
    TOTP authentication failed
    failed reading prompt response
        context canceled, Webauthn authentication failed
    context canceled

inthenightsky commented 3 months ago

That's very odd!

I'm on MacOS Sonoma 14.5 primarily, however I can replicate this on both Ubuntu 24.04 LTS & Ubuntu 22.04.4 LTS.

The below log was taken from Ubuntu 22.04.4 LTS.

root@server:~# tsh version
Teleport v16.0.0 git:v16.0.0-0-gbb8b73a2 go1.22.4
Proxy version: 16.0.0
Proxy: teleport.snipped.tld:443
root@server:~# tsh login --proxy=teleport.snipped.tld --user=user -d
2024-06-17T15:09:59Z DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/teleport.snipped.tld/user-ssh/teleport.snipped.tld-cert.pub". client/keystore.go:357
2024-06-17T15:09:59Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 03:11:27 +0000 UTC". client/client_store.go:111
2024-06-17T15:09:59Z INFO [CLIENT]    ALPN connection upgrade required for "teleport.snipped.tld:443": false. client/api.go:817
2024-06-17T15:09:59Z INFO [CLIENT]    no host login given. defaulting to root client/api.go:1159
2024-06-17T15:09:59Z INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/tmp/teleport-3307219702/teleport-1594.socket" client/api.go:4496
2024-06-17T15:09:59Z DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/teleport.snipped.tld/user-ssh/teleport.snipped.tld-cert.pub". client/keystore.go:357
2024-06-17T15:09:59Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 03:11:27 +0000 UTC". client/client_store.go:111
2024-06-17T15:09:59Z INFO [KEYAGENT]  Loading SSH key for user "user" and cluster "teleport.snipped.tld". client/keyagent.go:198
2024-06-17T15:09:59Z DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport.snipped.tld:443 client/api.go:4451
2024-06-17T15:09:59Z DEBU  Attempting request to Proxy web api method:GET host:teleport.snipped.tld:443 path:/webapi/ping trace_id:8ef035b70ef00dab01113ddf0b7832d6 span_id:d2d93ce25d794985 webclient/webclient.go:131
2024-06-17T15:09:59Z DEBU  ALPN connection upgrade test complete address:teleport.snipped.tld:443 upgrade_required:false trace_id:8ef035b70ef00dab01113ddf0b7832d6 span_id:d2d93ce25d794985 client/alpn_conn_upgrade.go:96
2024-06-17T15:09:59Z DEBU [CLIENT]    Attempting to login with a new RSA private key. client/api.go:3757
Enter password for Teleport user user:
2024-06-17T15:10:08Z DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport.snipped.tld:443 client/api.go:4451
2024-06-17T15:10:08Z DEBU [CLIENT]    HTTPS client init(proxyAddr=teleport.snipped.tld:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-06-17T15:10:08Z DEBU             Attempting platform login webauthncli/api.go:168
2024-06-17T15:10:08Z DEBU             Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:174
2024-06-17T15:10:08Z DEBU             FIDO2: Using libfido2 for assertion webauthncli/api.go:184
2024-06-17T15:10:08Z DEBU             FIDO2: assertion: passwordless=false, uv=false, 1 allowed credentials webauthncli/fido2.go:170
**OTP ENTERED - this line was manually entered, and not printed by debug.**
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 03:11:27 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYAGENT]  Deleting obsolete stored key with index {ProxyHost:teleport.snipped.tld Username:user ClusterName:teleport.snipped.tld}. client/keyagent.go:555
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Adding known host teleport.snipped.tld with proxy teleport.snipped.tld client/trusted_certs_store.go:395
2024-06-17T15:10:20Z INFO [KEYAGENT]  Loading SSH key for user "user" and cluster "teleport.snipped.tld". client/keyagent.go:198
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Adding known host teleport.snipped.tld with proxy teleport.snipped.tld client/trusted_certs_store.go:395
2024-06-17T15:10:20Z DEBU [CLIENT]    Device Trust: skipping device authentication, device trust disabled client/api.go:3307
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Reading certificates from path "/root/.tsh/keys/teleport.snipped/user-ssh/teleport.snipped.tld-cert.pub". client/keystore.go:357
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
2024-06-17T15:10:20Z DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-06-17 23:10:20 +0000 UTC". client/client_store.go:111
> Profile URL:        https://teleport.snipped.tld:443
  Logged in as:       user
  Cluster:            teleport.snipped.tld
  Roles:              access, administrator, editor
  Traits:             kubernetes_groups: []
                      azure_identities: []
                      db_names: []
                      db_roles: []
                      db_users: []
                      gcp_service_accounts: []
                      host_user_gid: []
                      host_user_uid: []
                      kubernetes_users: []
                      aws_role_arns: [arn:aws:iam::111111111111:role/teleport.role.admin arn:aws:iam::111111111111:role/teleport.role.readonly]
                      windows_logins: []
                      logins: [root]
  Logins:            snipped
  Kubernetes:         enabled
  Kubernetes users:   dev
  Kubernetes groups:  developer
  Valid until:        2024-06-17 23:10:20 +0000 UTC [valid for 8h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

Hopefully that helps?

pschisa commented 2 months ago

observing the same on my SaaS cluster with v15.4.7 tsh and 15.4.9 proxy on MacOS

paulschisa:~$ tsh login --proxy=schisa.teleport.sh --auth=local --user=paul.schisa@gmail.com -d
2024-07-24T09:54:57-04:00 DEBU [TSH]       Web proxy port was not set. Attempting to detect port number to use. common/tsh.go:4246
2024-07-24T09:54:57-04:00 DEBU [TSH]       Resolving default proxy port (insecure: false) common/resolve_default_addr.go:113
2024-07-24T09:54:57-04:00 DEBU [TSH]       Trying schisa.teleport.sh:3080... common/resolve_default_addr.go:101
2024-07-24T09:54:57-04:00 DEBU [TSH]       Trying schisa.teleport.sh:443... common/resolve_default_addr.go:101
2024-07-24T09:54:58-04:00 DEBU [TSH]       Address schisa.teleport.sh:443 succeeded. Selected as canonical proxy address common/resolve_default_addr.go:193
2024-07-24T09:54:58-04:00 DEBU [TSH]       Waiting for all in-flight proxy address tests to finish common/resolve_default_addr.go:141
2024-07-24T09:54:58-04:00 DEBU [TSH]       Proxy address test failed error:[Get "https://schisa.teleport.sh:3080/webapi/ping": context canceled] common/resolve_default_addr.go:65
2024-07-24T09:54:58-04:00 INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.4LkjtU9vI4/Listeners" client/api.go:4850
2024-07-24T09:54:58-04:00 DEBU [TSH]       Pinging the proxy to fetch listening addresses for non-web ports. common/tsh.go:3691
2024-07-24T09:54:58-04:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: schisa.teleport.sh:443 client/api.go:4805
2024-07-24T09:54:58-04:00 DEBU             Attempting GET schisa.teleport.sh:443/webapi/ping/local webclient/webclient.go:130
2024-07-24T09:54:58-04:00 DEBU             ALPN connection upgrade required for "schisa.teleport.sh:443": false. client/alpn_conn_upgrade.go:95
2024-07-24T09:54:58-04:00 DEBU [CLIENT]    Attempting to login with a new RSA private key. client/api.go:4112
Enter password for Teleport user paul.schisa@gmail.com:
2024-07-24T09:55:03-04:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: schisa.teleport.sh:443 client/api.go:4805
2024-07-24T09:55:03-04:00 DEBU [CLIENT]    HTTPS client init(proxyAddr=schisa.teleport.sh:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-07-24T09:55:04-04:00 DEBU             Attempting platform login webauthncli/api.go:168
2024-07-24T09:55:04-04:00 DEBU             Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:174
2024-07-24T09:55:04-04:00 DEBU             FIDO2: Using libfido2 for assertion webauthncli/api.go:183
2024-07-24T09:55:04-04:00 DEBU             FIDO2: assertion: passwordless=false, uv=false, 1 allowed credentials webauthncli/fido2.go:167
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Adding known host schisa.teleport.sh with proxy schisa.teleport.sh client/trusted_certs_store.go:395
2024-07-24T09:55:08-04:00 INFO [KEYAGENT]  Loading SSH key for user "paul.schisa@gmail.com" and cluster "schisa.teleport.sh". client/keyagent.go:198
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Adding known host schisa.teleport.sh with proxy schisa.teleport.sh client/trusted_certs_store.go:395
2024-07-24T09:55:08-04:00 DEBU [CLIENT]    Device Trust: Skipping device authentication, device key not found client/api.go:3676
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Reading certificates from path "/Users/paulschisa/.tsh/keys/schisa.teleport.sh/paul.schisa@gmail.com-ssh/schisa.teleport.sh-cert.pub". client/keystore.go:357
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
2024-07-24T09:55:08-04:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-07-24 21:55:08 +0000 UTC". client/client_store.go:111
> Profile URL:        https://schisa.teleport.sh:443
  Logged in as:       paul.schisa@gmail.com
  Cluster:            schisa.teleport.sh
  Roles:              test-dacadoo-requester
  Kubernetes:         enabled
  Valid until:        2024-07-24 17:55:08 -0400 EDT [valid for 8h0m0s]
  Extensions:         login-ip, permit-port-forwarding, permit-pty, private-key-policy

paulschisa:~$ tsh version
Teleport v15.4.7 git:v15.4.7-0-g2611484 go1.22.5
Proxy version: 15.4.9
Proxy: schisa.teleport.sh:443

inthenightsky commented 1 month ago

This seems okay now in more recent versions. You'll default to a hardware key if specified, however similar behaviour can be observed if you try to proxy an app.

Unsure if this deserves to be it's own issue or not but will leave it up for discussion.

Before starting, ensure your role is configured to mandate per-session MFA.

1) Login to Teleport as normal (tsh login --user username --mfa-mode=otp) 2) Initiate an app proxy (tsh proxy app app-name --mfa-mode=otp)

Notice that once a valid OTP is given, the connection to the desired proxied app is successful. This can be observed in closer depth by adding the --debug flag, showing certificates getting issued subsequently, despite no prompt showing the authentication was successful.

marcoandredinis commented 18 hours ago

I just got into the same issue Cluster running master and signed tsh running 16.4.2 on MacOS (15.0). I have two MFAs configured: Authenticator App and Hardware Key. When I login using tsh login --proxy=$PROXY --user=$USER I get asked for the password but no feedback after I press enter. I had to put the TOTP from the Authenticator App for the login to succeed. This is really confusing.

Logs from `tsh -d`

``` $ tsh login --proxy=marco.cloud.gravitational.io:443 --user=marco.dinis@goteleport.com -d 2024-09-30T14:29:37+01:00 INFO [CLIENT] no host login given. defaulting to marcodinis client/api.go:1175 2024-09-30T14:29:37+01:00 INFO [CLIENT] [KEY AGENT] Connected to the system agent: "/private/tmp/com.apple.launchd.aR9dtmw8sU/Listeners" client/api.go:4586 2024-09-30T14:29:37+01:00 DEBU [TSH] Pinging the proxy to fetch listening addresses for non-web ports. common/tsh.go:3807 2024-09-30T14:29:37+01:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: marco.cloud.gravitational.io:443 client/api.go:4541 2024-09-30T14:29:37+01:00 DEBU Attempting request to Proxy web api method:GET host:marco.cloud.gravitational.io:443 path:/webapi/ping trace_id:20b3dda83a4d0e0297545b5742b9ef6f span_id:c3860a86e23c4d07 webclient/webclient.go:131 2024-09-30T14:29:37+01:00 DEBU ALPN connection upgrade test complete address:marco.cloud.gravitational.io:443 upgrade_required:false trace_id:20b3dda83a4d0e0297545b5742b9ef6f span_id:c3860a86e23c4d07 client/alpn_conn_upgrade.go:96 2024-09-30T14:29:37+01:00 DEBU [CLIENT] Attempting to login with a new RSA private key. client/api.go:3809 Enter password for Teleport user marco.dinis@goteleport.com: 2024-09-30T14:29:41+01:00 DEBU [CLIENT] not using loopback pool for remote proxy addr: marco.cloud.gravitational.io:443 client/api.go:4541 2024-09-30T14:29:41+01:00 DEBU [CLIENT] HTTPS client init(proxyAddr=marco.cloud.gravitational.io:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354 2024-09-30T14:29:42+01:00 DEBU Attempting platform login webauthncli/api.go:168 2024-09-30T14:29:42+01:00 DEBU Platform login failed, falling back to cross-platform error:[credential not found] webauthncli/api.go:174 2024-09-30T14:29:42+01:00 DEBU FIDO2: Using libfido2 for assertion webauthncli/api.go:183 2024-09-30T14:29:42+01:00 DEBU FIDO2: assertion: passwordless=false, uv=false, 1 allowed credentials webauthncli/fido2.go:167 < HERE TSH IS WAITING FOR USER INPUT > ```

After building tsh from master (see commit above), it is now asking for the OTP. So, this was probably fixed already 🤔

gravitational / teleport

tsh failing to prompt user to provide 2FA #43072