search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.69k stars 1.77k forks source link

Yubikey firmware version for passwordless #44198

Closed efrikin closed 1 month ago

efrikin commented 4 months ago

hi there!

Applies To

Hardware device not usable

Details

I faced a problem with passwordless single factor/passwordless MFA methods via Yubikey. The thing is I have two Yubikey 5 NFC devices for authenticate to Teleport (WebUI/tsh login) and one of them can login only to WebUI. When I try to perform tsh login I receive the following error:

$ tsh login -d -v --proxy=teleport.example.com
<skipped output>
2024-07-12T12:02:45+03:00 DEBU             FIDO2: assertion: passwordless=true, uv=true, 0 allowed credentials webauthncli/fido2.go:167
Tap your security key
2024-07-12T12:02:45+03:00 DEBU             FIDO2: Device /dev/hidraw3: info &libfido2.DeviceInfo{Versions:[]string{"U2F_V2", "FIDO_2_0"}, Extensions:[]string{"hmac-secret"}, AAGUID:[]uint8{0xfa, 0x2b, 0x99, 0xdc, 0x9e, 0x39, 0x42, 0x57, 0x8f, 0x92, 0x4a, 0x30, 0xd2, 0x3c, 0x41, 0x18}, Options:[]libfido2.Option{libfido2.Option{Name:"rk", Value:"true"}, libfido2.Option{Name:"up", Value:"true"}, libfido2.Option{Name:"plat", Value:"false"}, libfido2.Option{Name:"clientPin", Value:"true"}}, Protocols:[]uint8{0x1}} webauthncli/fido2.go:802
2024-07-12T12:02:50+03:00 DEBU             FIDO2: Got 1 assertions webauthncli/fido2.go:250 
2024-07-12T12:02:50+03:00 DEBU             FIDO2: Authenticated: credential ID (b64) = p_Dsym4qCjvp_krAyWPUWQ, user ID (hex) = 61343831646630362d306335652d346631392d396632392d623862343038663962386664, user name = "" webauthncli/fido2.go:258
2024-07-12T12:02:50+03:00 DEBU             FIDO2: Device /dev/hidraw3: callback returned, requiresPIN=false, err=<nil> webauthncli/fido2.go:825
Detected security key tap
2024-07-12T12:02:50+03:00 DEBU             FIDO2: Close device /dev/hidraw3, err=<nil> webauthncli/fido2.go:784
2024-07-12T12:02:50+03:00 DEBU             FIDO2: Cancel device /dev/hidraw3, err=<nil> webauthncli/fido2.go:768
2024-07-12T12:02:50+03:00 DEBU             FIDO2: Device goroutines exited cleanly webauthncli/fido2.go:630

ERROR REPORT:
Original Error: *trace.AccessDeniedError invalid credentials
Stack Trace:

Caught:
        github.com/gravitational/teleport/lib/httplib/httplib.go:216 github.com/gravitational/teleport/lib/httplib.ConvertResponse
        github.com/gravitational/teleport/lib/client/https_client.go:124 github.com/gravitational/teleport/lib/client.(*WebClient).PostJSON
        github.com/gravitational/teleport/lib/client/weblogin.go:593 github.com/gravitational/teleport/lib/client.SSHAgentPasswordlessLogin
        github.com/gravitational/teleport/lib/client/api.go:3809 github.com/gravitational/teleport/lib/client.(*TeleportClient).pwdlessLogin
        github.com/gravitational/teleport/lib/client/api.go:3663 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin.func1
        github.com/gravitational/teleport/lib/client/api.go:3710 github.com/gravitational/teleport/lib/client.(*TeleportClient).loginWithHardwareKeyRetry
        github.com/gravitational/teleport/lib/client/api.go:3661 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin
        github.com/gravitational/teleport/lib/client/api.go:3242 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
        github.com/gravitational/teleport/tool/tsh/common/tsh.go:1929 github.com/gravitational/teleport/tool/tsh/common.onLogin
        github.com/gravitational/teleport/tool/tsh/common/tsh.go:1427 github.com/gravitational/teleport/tool/tsh/common.Run
        github.com/gravitational/teleport/tool/tsh/common/tsh.go:608 github.com/gravitational/teleport/tool/tsh/common.Main
        github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
        runtime/proc.go:271 runtime.main
        runtime/asm_amd64.s:1695 runtime.goexit
User Message: invalid credentials

I noticed that when I was comparing logs from the two devices one of them doesn't have FIDO_2_1_PRE in the libfido2.DeviceInfo. Also I found out that libfido2.Option are different and one of them don't have Protocol 0x2 and credentialMgmtPreview.

Next, I decided to compare firmware version in the devices. I found out that one of device has firmware version less than 5.2.3. According to Yubico developers documentation Credential Protection extension is supported with firmware 5.2.3 and above.

First device log ```bash tsh login -d -v --proxy=teleport.example.com 2024-07-05T16:03:58+07:00 DEBU FIDO2: assertion: passwordless=true, uv=true, 0 allowed credentials webauthncli/fido2.go:170 Tap your security key 2024-07-05T16:03:58+07:00 DEBU FIDO2: Device /dev/hidraw7: info &libfido2.DeviceInfo{Versions:[]string{"U2F_V2", "FIDO_2_0", "FIDO_2_1_PRE"}, Extensions:[]string{"credProtect", "hmac-secret"}, AAGUID:[]uint8{0x2f, 0xc0, 0x57, 0x9f, 0x81, 0x13, 0x47, 0xea, 0xb1, 0x16, 0xbb, 0x5a, 0x8d, 0xb9, 0x20, 0x2a}, Options:[]libfido2.Option{libfido2.Option{Name:"rk", Value:"true"}, libfido2.Option{Name:"up", Value:"true"}, libfido2.Option{Name:"plat", Value:"false"}, libfido2.Option{Name:"clientPin", Value:"true"}, libfido2.Option{Name:"credentialMgmtPreview", Value:"true"}}, Protocols:[]uint8{0x2, 0x1}} webauthncli/fido2.go:805 2024-07-05T16:04:00+07:00 DEBU FIDO2: Device /dev/hidraw7: callback returned, requiresPIN=true, err= webauthncli/fido2.go:828 Detected security key tap Enter your security key PIN: Tap your security key again to complete login ```

My first device is 5.4.3 and I can login to Teleport via WebUI/tsh login. So, I'm still able to use my second device as 2FA, but it doesn't work as passwordless/usernameless via tsh login

How will we know this is resolved?

I propose to make changes in the documentation and specify when Yubikey can be used as passwordless (>5.2.3) and when only as 2FA (<5.2.3).

What do you think about it?

Additional information

Teleport version 15.3.7

/etc/teleport.yaml ```yaml teleport: storage: type: sqlite sync: normal journal: wal audit_events_uri: - 'file:///var/lib/teleport/log' audit_sessions_uri: 'file:///var/lib/teleport/log' log: output: stderr severity: debug auth_service: web_idle_timeout: 1h authentication: type: local connector_name: passwordless locking_mode: best_effort second_factor: webauthn require_session_mfa: false passwordless: true headless: false webauthn: rp_id: teleport.example.com disconnect_expired_cert: yes client_idle_timeout: 1h ```
codingllama commented 4 months ago

Hey efrikin, thanks for the report.

Before anything else, is the failing device registered for passwordless in Teleport? Could you try registering it again (tsh mfa add --allow-passwordless --type=WEBAUTHN) and see if that helps?

For completeness, what does tsh version print?

efrikin commented 4 months ago

Hello, Alan

Thank you for your answer. I appreciate it!

My Yubikey was reset and a new PIN has been set up before performing command. I have been received following error:

$ tsh mfa add -d --allow-passwordless --type=WEBAUTHN --proxy=teleport.example.com:443 --bind-addr=https://teleport.example.com:443/web/reset/b70314345dd0**************
<skipped output>
Enter device name: teleport.example.com
2024-07-17T12:07:49+03:00 [TSH]       DEBU tsh using passwordless registration? true common/mfa.go:280
2024-07-17T12:07:49+03:00 [CLIENT]    DEBU Activating relogin on no SSH auth methods loaded, are you logged in?. client/api.go:593
2024-07-17T12:07:49+03:00 [CLIENT]    DEBU not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4551
2024-07-17T12:07:49+03:00             DEBU Attempting GET teleport.example.com:443/webapi/motd webclient/webclient.go:129
Welcome to Teleport
Press [ENTER] to continue.
2024-07-17T12:07:50+03:00 [CLIENT]    DEBU Attempting to login with a new RSA private key. client/api.go:3897
2024-07-17T12:07:50+03:00 [CLIENT]    DEBU not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4551
2024-07-17T12:07:50+03:00 [CLIENT]    DEBU HTTPS client init(proxyAddr=teleport.example.com:443, insecure=false, extraHeaders=map[]) client/weblogin.go:343
2024-07-17T12:07:50+03:00             DEBU Attempting platform login webauthncli/api.go:164
2024-07-17T12:07:50+03:00             DEBU Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:170
2024-07-17T12:07:50+03:00             DEBU FIDO2: Using libfido2 for assertion webauthncli/api.go:180
2024-07-17T12:07:50+03:00             DEBU FIDO2: assertion: passwordless=true, uv=true, 0 allowed credentials webauthncli/fido2.go:119
Tap your security key
2024-07-17T12:07:50+03:00             DEBU FIDO2: Info for device ioreg://4294991947: &libfido2.DeviceInfo{Versions:[]string{"U2F_V2", "FIDO_2_0"}, Extensions:[]string{"hmac-secret"}, AAGUID:[]uint8{0xcb, 0x69, 0x48, 0x1e, 0x8f, 0xf7, 0x40, 0x39, 0x93, 0xec, 0xa, 0x27, 0x29, 0xa1, 0x54, 0xa8}, Options:[]libfido2.Option{libfido2.Option{Name:"rk", Value:"true"}, libfido2.Option{Name:"up", Value:"true"}, libfido2.Option{Name:"plat", Value:"false"}, libfido2.Option{Name:"clientPin", Value:"true"}}, Protocols:[]uint8{0x1}} webauthncli/fido2.go:894
2024-07-17T12:07:50+03:00             DEBU FIDO2: Found 1 new devices webauthncli/fido2.go:903
2024-07-17T12:07:58+03:00             DEBU FIDO2: Got 1 assertions webauthncli/fido2.go:200
2024-07-17T12:07:58+03:00             DEBU FIDO2: Authenticated: credential ID (b64) = WjM0-Yig4cTnJ0a5tIuw-g, user ID (hex) = 37333738653436652d386538322d343863322d613930382d656261643934623430303530, user name = "" webauthncli/fido2.go:208
2024-07-17T12:07:58+03:00             DEBU FIDO2: device ioreg://4294991947: selected with err=<nil> webauthncli/fido2.go:923
Detected security key tap
ERROR REPORT:
Original Error: *trace.AccessDeniedError invalid credentials
Stack Trace:
Caught:
    github.com/gravitational/teleport/lib/httplib/httplib.go:214 github.com/gravitational/teleport/lib/httplib.ConvertResponse
    github.com/gravitational/teleport/lib/client/https_client.go:123 github.com/gravitational/teleport/lib/client.(*WebClient).PostJSON
    github.com/gravitational/teleport/lib/client/weblogin.go:582 github.com/gravitational/teleport/lib/client.SSHAgentPasswordlessLogin
    github.com/gravitational/teleport/lib/client/api.go:3941 github.com/gravitational/teleport/lib/client.(*TeleportClient).pwdlessLogin
    github.com/gravitational/teleport/lib/client/api.go:3791 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin.func1
    github.com/gravitational/teleport/lib/client/api.go:3838 github.com/gravitational/teleport/lib/client.(*TeleportClient).loginWithHardwareKeyRetry
    github.com/gravitational/teleport/lib/client/api.go:3789 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin
    github.com/gravitational/teleport/lib/client/api.go:3373 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
    github.com/gravitational/teleport/lib/client/api.go:611 github.com/gravitational/teleport/lib/client.RetryWithRelogin
    github.com/gravitational/teleport/tool/tsh/common/mfa.go:314 github.com/gravitational/teleport/tool/tsh/common.(*mfaAddCommand).addDeviceRPC
    github.com/gravitational/teleport/tool/tsh/common/mfa.go:282 github.com/gravitational/teleport/tool/tsh/common.(*mfaAddCommand).run
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:1412 github.com/gravitational/teleport/tool/tsh/common.Run
    github.com/gravitational/teleport/tool/tsh/common/tsh.go:558 github.com/gravitational/teleport/tool/tsh/common.Main
    github.com/gravitational/teleport/tool/tsh/main.go:24 main.main
    runtime/proc.go:267 runtime.main
    runtime/asm_arm64.s:1197 runtime.goexit
User Message: invalid credentials

Also, I tried to perform ykman fido credentials list and have been received following error: 

ERROR: Authenticator does not support Credential Management

tsh version

Proxy version: 15.3.7
Proxy: teleport.example.com:443
efrikin commented 3 months ago

/cc @codingllama

codingllama commented 3 months ago

Hey efrikin,

The last log you shared shows a failed login attempt. Could you try logging in with an authenticator that works, remove the problematic authenticator and re-register it?

Roughly this sequence of commands:

If that works, great. Otherwise, please share the tsh -d logs from the last 2 commmands.

Cheers.

efrikin commented 3 months ago

Hello, Alan

Thank you for your answer!

I have created a user and registered him with password and Yubikey device before testing. 

$ tsh logout
Logged out all users from all proxies.
$ tsh login --proxy=https://teleport.example.com:443 --user test1 --auth=local
Welcome to Teleport!
Press [ENTER] to continue.
Enter password for Teleport user test1:
Tap any security key
Detected security key tap
> Profile URL:        https://teleport.example.com:443
  Logged in as:       test1
<skipped output>
$ tsh mfa ls
Name            Type     Added at                      Last used                     
--------------- -------- ----------------------------- ----------------------------- 
webauthn-device WebAuthn Wed, 21 Aug 2024 08:43:45 UTC Wed, 21 Aug 2024 08:44:23 UTC

I couldn't remove the device because it's the only device:

$ tsh mfa rm webauthn-device
Tap any security key
Detected security key tap
ERROR: cannot delete the last webauthn device for this user; add a replacement device first to avoid getting locked out

Next, I was adding to adding/re-registering this device as passwordless and I was proposed to register a new device with new resident key: registration: resident key=true and device was added as passwordless to Teleport. 

$ tsh mfa add -d --allow-passwordless --type=WEBAUTHN --name=problem-device
2024-08-21T11:45:08+03:00 INFO [CLIENT]    ALPN connection upgrade required for "teleport.example.com:443": false. client/api.go:819
2024-08-21T11:45:08+03:00 INFO [CLIENT]    no host login given. defaulting to test1 client/api.go:1162
2024-08-21T11:45:08+03:00 INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/run/user/1881864843/keyring/ssh" client/api.go:4553
2024-08-21T11:45:08+03:00 DEBU [KEYSTORE]  Reading certificates from path "/home/test1/.tsh/keys/teleport.example.com/test1-ssh/teleport.example.com-cert.pub". client/keystore.go:357
2024-08-21T11:45:08+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-08-21 20:44:23 +0000 UTC". client/client_store.go:118
2024-08-21T11:45:08+03:00 INFO [KEYAGENT]  Loading SSH key for user "test1" and cluster "teleport.example.com". client/keyagent.go:198
2024-08-21T11:45:08+03:00 DEBU [TSH]       tsh using passwordless registration? true common/mfa.go:282
2024-08-21T11:45:08+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-08-21 20:44:23 +0000 UTC". client/client_store.go:118
2024-08-21T11:45:08+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-08-21 20:44:23 +0000 UTC". client/client_store.go:118
2024-08-21T11:45:08+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-08-21 20:44:23 +0000 UTC". client/client_store.go:118
2024-08-21T11:45:08+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-08-21 20:44:23 +0000 UTC". client/client_store.go:118
2024-08-21T11:45:08+03:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-08-21 20:44:23 +0000 UTC". client/client_store.go:118
2024-08-21T11:45:08+03:00 DEBU             Attempting platform login webauthncli/api.go:168
2024-08-21T11:45:08+03:00 DEBU             Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:174
2024-08-21T11:45:08+03:00 DEBU             FIDO2: Using libfido2 for assertion webauthncli/api.go:183
2024-08-21T11:45:08+03:00 DEBU             FIDO2: assertion: passwordless=false, uv=false, 1 allowed credentials webauthncli/fido2.go:167
Tap any *registered* security key
2024-08-21T11:45:08+03:00 DEBU             FIDO2: Device /dev/hidraw3: info &libfido2.DeviceInfo{Versions:[]string{"U2F_V2", "FIDO_2_0"}, Extensions:[]string{"hmac-secret"}, AAGUID:[]uint8{0xfa, 0x2b, 0x99, 0xdc, 0x9e, 0x39, 0x42, 0x57, 0x8f, 0x92, 0x4a, 0x30, 0xd2, 0x3c, 0x41, 0x18}, Options:[]libfido2.Option{libfido2.Option{Name:"rk", Value:"true"}, libfido2.Option{Name:"up", Value:"true"}, libfido2.Option{Name:"plat", Value:"false"}, libfido2.Option{Name:"clientPin", Value:"true"}}, Protocols:[]uint8{0x1}} webauthncli/fido2.go:802
2024-08-21T11:45:10+03:00 DEBU             FIDO2: Got 1 assertions webauthncli/fido2.go:250
2024-08-21T11:45:10+03:00 DEBU             FIDO2: Authenticated: credential ID (b64) = MhJZz-fkQ1rV3hH1Lj4g-U10B8G9mqAn2kwjdQXpvEv6GSEhHCQSyry0yl0yTodoXNmjMomssSAkstA9YoDnaA, user ID (hex) = , user name = "" webauthncli/fido2.go:258
2024-08-21T11:45:10+03:00 DEBU             FIDO2: Device /dev/hidraw3: callback returned, requiresPIN=false, err=<nil> webauthncli/fido2.go:825
Detected security key tap
2024-08-21T11:45:10+03:00 DEBU             FIDO2: Close device /dev/hidraw3, err=<nil> webauthncli/fido2.go:784
2024-08-21T11:45:10+03:00 DEBU             FIDO2: Cancel device /dev/hidraw3, err=<nil> webauthncli/fido2.go:768
2024-08-21T11:45:10+03:00 DEBU             FIDO2: Device goroutines exited cleanly webauthncli/fido2.go:630
2024-08-21T11:45:10+03:00 DEBU [TSH]       WebAuthn: prompting MFA devices with origin "https://teleport.example.com:443" common/mfa.go:524
2024-08-21T11:45:10+03:00 DEBU             FIDO2: Using libfido2 for credential creation webauthncli/api.go:230
2024-08-21T11:45:10+03:00 DEBU             FIDO2: registration: resident key=true webauthncli/fido2.go:391
Tap your *new* security key
2024-08-21T11:45:10+03:00 DEBU             FIDO2: Device /dev/hidraw3: info &libfido2.DeviceInfo{Versions:[]string{"U2F_V2", "FIDO_2_0"}, Extensions:[]string{"hmac-secret"}, AAGUID:[]uint8{0xfa, 0x2b, 0x99, 0xdc, 0x9e, 0x39, 0x42, 0x57, 0x8f, 0x92, 0x4a, 0x30, 0xd2, 0x3c, 0x41, 0x18}, Options:[]libfido2.Option{libfido2.Option{Name:"rk", Value:"true"}, libfido2.Option{Name:"up", Value:"true"}, libfido2.Option{Name:"plat", Value:"false"}, libfido2.Option{Name:"clientPin", Value:"true"}}, Protocols:[]uint8{0x1}} webauthncli/fido2.go:802
2024-08-21T11:45:11+03:00 DEBU             FIDO2: Device /dev/hidraw3: callback returned, requiresPIN=true, err=<nil> webauthncli/fido2.go:825
Detected security key tap
Enter your *new* security key PIN:
Tap your *new* security key again to complete registration
\Detected security key tap
2024-08-21T11:45:17+03:00 DEBU             FIDO2: Close device /dev/hidraw3, err=<nil> webauthncli/fido2.go:784
2024-08-21T11:45:17+03:00 DEBU             FIDO2: Cancel device /dev/hidraw3, err=<nil> webauthncli/fido2.go:768
2024-08-21T11:45:17+03:00 DEBU             FIDO2: Device goroutines exited cleanly webauthncli/fido2.go:630
MFA device "problem-device" added.

I see, that device returned follow assert passwordless=false and uv=false:

2024-08-21T11:45:08+03:00 DEBU             FIDO2: assertion: passwordless=false, uv=false, 1 allowed credentials webauthncli/fido2.go:167
2024-08-21T11:45:08+03:00 DEBU             FIDO2: Device /dev/hidraw3: info &libfido2.DeviceInfo{Versions:[]string{"U2F_V2", "FIDO_2_0"}, Extensions:[]string{"hmac-secret"}, AAGUID:[]uint8{0xfa, 0x2b, 0x99, 0xdc, 0x9e, 0x39, 0x42, 0x57, 0x8f, 0x92, 0x4a, 0x30, 0xd2, 0x3c, 0x41, 0x18}, Options:[]libfido2.Option{libfido2.Option{Name:"rk", Value:"true"}, libfido2.Option{Name:"up", Value:"true"}, libfido2.Option{Name:"plat", Value:"false"}, libfido2.Option{Name:"clientPin", Value:"true"}}, Protocols:[]uint8{0x1}} webauthncli/fido2.go:802
2024-08-21T11:45:10+03:00 DEBU             FIDO2: Got 1 assertions webauthncli/fido2.go:250

When I tried to login, I received an error:

$ tsh mfa ls
Name            Type     Added at                      Last used                     
--------------- -------- ----------------------------- ----------------------------- 
webauthn-device WebAuthn Wed, 21 Aug 2024 08:43:45 UTC Wed, 21 Aug 2024 08:45:10 UTC 
problem-device  WebAuthn Wed, 21 Aug 2024 08:45:17 UTC Wed, 21 Aug 2024 08:45:17 UTC 
$ tsh logout
Logged out all users from all proxies.
$ tsh login -d --proxy=https://teleport.example.com:443 --user test1 --auth=passwordless
2024-08-21T11:46:37+03:00 INFO [CLIENT]    no host login given. defaulting to test1 client/api.go:1162
2024-08-21T11:46:37+03:00 INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/run/user/1881864843/keyring/ssh" client/api.go:4553
2024-08-21T11:46:37+03:00 DEBU [TSH]       Pinging the proxy to fetch listening addresses for non-web ports. common/tsh.go:3765
2024-08-21T11:46:37+03:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4508
2024-08-21T11:46:37+03:00 DEBU  Attempting request to Proxy web api method:GET host:teleport.example.com:443 path:/webapi/ping/passwordless trace_id:67d63bb5c14c8e2a3ed1a2a65028a91f span_id:d60f1b570fd6fae7 webclient/webclient.go:131
2024-08-21T11:46:38+03:00 DEBU  ALPN connection upgrade test complete address:teleport.example.com:443 upgrade_required:false trace_id:67d63bb5c14c8e2a3ed1a2a65028a91f span_id:d60f1b570fd6fae7 client/alpn_conn_upgrade.go:96
2024-08-21T11:46:38+03:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4508
2024-08-21T11:46:38+03:00 DEBU  Attempting request to Proxy web api method:GET host:teleport.example.com:443 path:/webapi/motd trace_id:67d63bb5c14c8e2a3ed1a2a65028a91f span_id:5581ef359b5beb4a webclient/webclient.go:131
Welcome to Teleport!
Press [ENTER] to continue.
2024-08-21T11:46:40+03:00 DEBU [CLIENT]    Attempting to login with a new RSA private key. client/api.go:3778

2024-08-21T11:46:41+03:00 DEBU [CLIENT]    not using loopback pool for remote proxy addr: teleport.example.com:443 client/api.go:4508
2024-08-21T11:46:41+03:00 DEBU [CLIENT]    HTTPS client init(proxyAddr=teleport.example.com:443, insecure=false, extraHeaders=map[]) client/weblogin.go:354
2024-08-21T11:46:41+03:00 DEBU             Attempting platform login webauthncli/api.go:168
2024-08-21T11:46:41+03:00 DEBU             Platform login failed, falling back to cross-platform error:[touch ID not available] webauthncli/api.go:174
2024-08-21T11:46:41+03:00 DEBU             FIDO2: Using libfido2 for assertion webauthncli/api.go:183
2024-08-21T11:46:41+03:00 DEBU             FIDO2: assertion: passwordless=true, uv=true, 0 allowed credentials webauthncli/fido2.go:167
Tap your security key
2024-08-21T11:46:45+03:00 DEBU             FIDO2: Device /dev/hidraw3: info &libfido2.DeviceInfo{Versions:[]string{"U2F_V2", "FIDO_2_0"}, Extensions:[]string{"hmac-secret"}, AAGUID:[]uint8{0xfa, 0x2b, 0x99, 0xdc, 0x9e, 0x39, 0x42, 0x57, 0x8f, 0x92, 0x4a, 0x30, 0xd2, 0x3c, 0x41, 0x18}, Options:[]libfido2.Option{libfido2.Option{Name:"rk", Value:"true"}, libfido2.Option{Name:"up", Value:"true"}, libfido2.Option{Name:"plat", Value:"false"}, libfido2.Option{Name:"clientPin", Value:"true"}}, Protocols:[]uint8{0x1}} webauthncli/fido2.go:802
2024-08-21T11:46:47+03:00 DEBU             FIDO2: Got 1 assertions webauthncli/fido2.go:250
2024-08-21T11:46:47+03:00 DEBU             FIDO2: Authenticated: credential ID (b64) = rrsYtuYVUTfwUUeZIs14dw, user ID (hex) = 65363736636464312d383532642d343537652d396664322d663864646261333462373433, user name = "" webauthncli/fido2.go:258
2024-08-21T11:46:47+03:00 DEBU             FIDO2: Device /dev/hidraw3: callback returned, requiresPIN=false, err=<nil> webauthncli/fido2.go:825
Detected security key tap
2024-08-21T11:46:47+03:00 DEBU             FIDO2: Close device /dev/hidraw3, err=<nil> webauthncli/fido2.go:784
2024-08-21T11:46:47+03:00 DEBU             FIDO2: Cancel device /dev/hidraw3, err=<nil> webauthncli/fido2.go:768
2024-08-21T11:46:47+03:00 DEBU             FIDO2: Device goroutines exited cleanly webauthncli/fido2.go:630
ERROR REPORT:
Original Error: *trace.AccessDeniedError invalid credentials
Stack Trace:
Caught:
  github.com/gravitational/teleport/lib/httplib/httplib.go:216 github.com/gravitational/teleport/lib/httplib.ConvertResponse
  github.com/gravitational/teleport/lib/client/https_client.go:124 github.com/gravitational/teleport/lib/client.(*WebClient).PostJSON
  github.com/gravitational/teleport/lib/client/weblogin.go:603 github.com/gravitational/teleport/lib/client.SSHAgentPasswordlessLogin
  github.com/gravitational/teleport/lib/client/api.go:3822 github.com/gravitational/teleport/lib/client.(*TeleportClient).pwdlessLogin
  github.com/gravitational/teleport/lib/client/api.go:3676 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin.func1
  github.com/gravitational/teleport/lib/client/api.go:3723 github.com/gravitational/teleport/lib/client.(*TeleportClient).loginWithHardwareKeyRetry
  github.com/gravitational/teleport/lib/client/api.go:3674 github.com/gravitational/teleport/lib/client.(*TeleportClient).SSHLogin
  github.com/gravitational/teleport/lib/client/api.go:3255 github.com/gravitational/teleport/lib/client.(*TeleportClient).Login
  github.com/gravitational/teleport/tool/tsh/common/tsh.go:1942 github.com/gravitational/teleport/tool/tsh/common.onLogin
  github.com/gravitational/teleport/tool/tsh/common/tsh.go:1433 github.com/gravitational/teleport/tool/tsh/common.Run
  github.com/gravitational/teleport/tool/tsh/common/tsh.go:608 github.com/gravitational/teleport/tool/tsh/common.Main
  github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
  runtime/proc.go:271 runtime.main
  runtime/asm_amd64.s:1695 runtime.goexit
User Message: invalid credentials

Resident key is feature Discoverable Credentials / Resident Keys that required User Verifivcation (uv=true) and I think that Teleport shouldn't add devices with resident keys to Teleport with passwordless=false и uv=false.

/cc @codingllama

codingllama commented 1 month ago

Hey efrikin,

I think you misunderstood the logs. The lines you quoted saying "passwordless=false, uv=false" are not the registration of the new device, they are part of the registered device check.

I suggest, if possible, that you reset the user, clear existing resident credentials in your authenticators and start fresh. I suspect this is less about Teleport's implementation of FIDO2 and more likely an operational error.

If you have a repro from a clean cluster, please let us know.