search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.55k stars 1.75k forks source link

Teleport Connect doesn't support fallback to OTP when Per-session MFA is enabled #46820

Open gabrielcossette opened 1 month ago

gabrielcossette commented 1 month ago

Expected behavior: When Per-session MFA is enabled, there should be a way to fallback to OTP for Teleport Connect (when both "Hardware Key" and "Authenticator App" have been configured for a user)

Current behavior: Teleport Connect only prompts for the "Hardware Key".

Bug details:

In tsh, fallback to OTP is supported with the --mfa-mode=otp option. No such fallback seems available for Teleport Connect.

The documentation seems to indicate that it should be supported in both:

OTP can only be used with per-session MFA when using tsh or Teleport Connect to establish connections. A hardware MFA key is required for using per-session MFA with Teleport's Web UI.

Ref. https://goteleport.com/docs/admin-guides/access-controls/guides/per-session-mfa/

ravicious commented 3 weeks ago

Could you provide reproduction steps? I'm particularly interested in the action guarded by an MFA check that causes this to happen.

I just did a quick check and I believe this happens only for SSH connections.