search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.03k stars 4.2k forks source link

Can't get vault token from Windows using login with mfa #20978

Open ghost opened 1 year ago

ghost commented 1 year ago

Describe the bug Can't authenticate using login with MFA from Windows to receive the token, and executing same auth from linux I can.

To Reproduce Steps to reproduce the behavior: From Linux:

vault login -token-only -method=ldap -path=customldap username=a_user
Password (will be hidden):
Initiating Interactive MFA Validation...
Enter the passphrase for methodID "a1b23d4-a9ea-83aa-b24e-abc1230429954" of type "totp":
hvs.CAESIKbFRpsz....

From Windows:

 C:\bin> vault login -token-only -method=ldap -path=customldap username=a_user
Password (will be hidden):
Initiating Interactive MFA Validation...
Enter the passphrase for methodID "a1b23d4-a9ea-83aa-b24e-abc1230429954" of type "totp":
Error making API request.

URL: POST https://vault.company.com/v1/sys/mfa/validate
Code: 403. Errors:

* failed to satisfy enforcement admintotp. error: 2 errors occurred:
        * MFA credentials not supplied
        * login MFA validation failed for methodID: [a1b23d4-a9ea-83aa-b24e-abc1230429954]

Expected behavior Get a token from Windows using vault.exe or add an argument like passcode=xxxxxx to can send from stdin directly

Environment:

Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values
storage "file" {
  "path" = "/vault/file"
}
listener "tcp" {
  address = "0.0.0.0:8200"
  tls_disable = 1
}
default_lease_ttl = "168h"
max_lease_ttl = "720h"
ui = true
log_level = "trace"

Additional context Test it client from 1.11.x , 1.12.x and 1.13.x and got same error. can't interactive to send passcode

ctracysf commented 1 year ago

I'm not sure what the "me too" etiquette is here, but we're encountering the same issue. Everything works great from Linux clients, but vault.exe on Windows just breezes past the TOTP prompt as though you hit <Enter> when you didn't, so you never even get a chance to input your TOTP code.

Environment

mihaivint commented 8 months ago

Issue comes from c.UI.AskSecret not waiting for input on windows in command/base.go , didn't chase this further.. It's actually in github.com/mitchellh/cli package In case anyone wants a quick fix

--- vault-1.15.5/command/base.go        2024-01-31 16:02:10.000000000 +0200
+++ vault-1.15.5-new/command/base.go    2024-02-13 16:29:56.649820386 +0200
@@ -4,6 +4,8 @@
 package command

 import (
+       pwd "github.com/hashicorp/go-secure-stdlib/password"
+       "runtime"
        "bytes"
        "flag"
        "fmt"
@@ -269,6 +271,12 @@
        var err error
        if methodInfo.usePasscode {
                passcode, err = c.UI.AskSecret(fmt.Sprintf("Enter the passphrase for methodID %q of type %q:", methodInfo.methodID, methodInfo.methodType))
+               if len(passcode) == 0 && runtime.GOOS == "windows" {
+                       passcode, err = pwd.Read(os.Stdin)
+                       fmt.Fprintf(os.Stderr, "\n")
+                       if err != nil {
+                               return nil, err
+               }
                if err != nil {
                        return nil, fmt.Errorf("failed to read passphrase: %w. please validate the login by sending a request to sys/mfa/validate", err)
                }
Eric-N-Be commented 3 months ago

any news of this bug ?

Environment: Vault Server Version (retrieve with vault status): 1.16.2 Vault CLI Version (retrieve with vault version): 1.17.1 Server Operating System/Architecture: Windows 11