search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.33k stars 1.74k forks source link

libfido2 support for tsh #8499

Closed codingllama closed 2 years ago

codingllama commented 2 years ago

What

Add libfido2 support for tsh.

libfido2 implements both CTAP1 and CTAP2 protocols, allowing us to better leverage the server-side Webauthn implementation. It seems to be the outstanding (only?) client-side implementation for CTAP2.

It supports Linux, macOS and Windows, among others.

This doesn't include Touch ID support - that is a different can of worms.

How

libfido2, unfortunately, is only available as a native library, which causes a few complications for tsh. Go bindings are available via the github.com/keys-pub/go-libfido2 package.

A draft implementation would work as follows:

Also note that libfido2 has its own set of dependencies: libcbor, OpenSSL 1.1+, zlib and libudev (Linux only). Our audience is fairly technical, in particular for tsh, so maybe installing a few packages is not much of an issue, but that remains as a discussion point.

Why

This gives us:

Workaround

We don't necessarily need libfido2, what we actually want is CTAP2 support for tsh (it's just that the list of options seem dim). Some research in this area might do us good, there may be something I missed in my initial combing for libraries.

CTAP1 works perfectly fine for the moment - I'm not aware of any CTAP2-exclusive authenticators. It does limit our options in terms of Webauthn features, though, and might become a limitation in the future.

codingllama commented 2 years ago

Related work: https://github.com/gravitational/teleport/issues/9160

codingllama commented 2 years ago

I've now landed enough PRs in master that I think we can call this done. I expect that there will be refinements to be done when we get people trying it out, but the overall implementation is there. :tada: