tpecora-cpi
commented
2 years ago When using the CLI to do a tsh login (and then it prompts a browser login) what can be done for a non-graphical environment? Users are asking for this feature.
As a reference, HashiCorp Vault can login via Okta all from the CLI (including MFA, though from the CLI you just see it hang after entering your Okta password while Okta initiates the MFA request, once a valid MFA response is received the terminal becomes interactive again).
Joerger
What
Currently,
tsh loginwill work with an okta auth backend using saml or oidc, which requires a web browser to complete the login. Okta also supplies an alternate authentication method. The vault project has support for this to enable okta login without the need for a browser (see https://www.vaultproject.io/docs/auth/okta as a reference).How
A new type of connector that utilizes the okta authentication API could be used to enable the following type of user-facing workflow:
tsh login --proxy teleport.example.com --auth okta --user okta_user@example.com [--okta-totp 123456] ...
Why
This will smooth out the user experience for situations where a graphical web browser is not readily available, and the environment has okta available. It'll bring the okta experience closer to the local auth user experience.
For example, if I am accessing a system via text only and do not have any type of port forward or ssh agent forward available, then I'd need to
tsh loginfrom that text-only environment. The lack of a graphical web browser makes this impossible. Hacks would need to be utilized to try to proxy packets in from where a web browser is running, but that may not always be possible.Workaround
The workaround is to deal with the requirement for a browser even though this can be awkward or extremely difficult to achieve in some cases.
gz#4783