From 7d313a6ce83dad065ef88a4c452226d945337717 Mon Sep 17 00:00:00 2001 From: Brian Joerger Date: Mon, 28 Oct 2024 10:24:52 -0700 Subject: [PATCH] Allow Teleport Connect users to choose either WebAuthn or OTP in MFA prompts. (#47875) --- lib/client/mfa/prompt.go | 44 ------------------- lib/teleterm/clusters/storage.go | 11 ----- lib/teleterm/daemon/mfaprompt.go | 18 ++++---- .../modals/ReAuthenticate/ReAuthenticate.tsx | 8 ---- 4 files changed, 8 insertions(+), 73 deletions(-) diff --git a/lib/client/mfa/prompt.go b/lib/client/mfa/prompt.go index cfbb6e1c2d1a6..c96935c897f18 100644 --- a/lib/client/mfa/prompt.go +++ b/lib/client/mfa/prompt.go @@ -51,17 +51,8 @@ type PromptConfig struct { ProxyAddress string // WebauthnLoginFunc performs client-side Webauthn login. WebauthnLoginFunc WebauthnLoginFunc - // AllowStdinHijack allows stdin hijack during MFA prompts. - // Stdin hijack provides a better login UX, but it can be difficult to reason - // about and is often a source of bugs. - // Do not set this options unless you deeply understand what you are doing. - // If false then only the strongest auth method is prompted. - AllowStdinHijack bool // AuthenticatorAttachment specifies the desired authenticator attachment. AuthenticatorAttachment wancli.AuthenticatorAttachment - // PreferOTP favors OTP challenges, if applicable. - // Takes precedence over AuthenticatorAttachment settings. - PreferOTP bool // WebauthnSupported indicates whether Webauthn is supported. WebauthnSupported bool } @@ -81,41 +72,6 @@ func NewPromptConfig(proxyAddr string, opts ...mfa.PromptOpt) *PromptConfig { return cfg } -// RunOpts are mfa prompt run options. -type RunOpts struct { - PromptTOTP bool - PromptWebauthn bool -} - -// GetRunOptions gets mfa prompt run options by cross referencing the mfa challenge with prompt configuration. -func (c PromptConfig) GetRunOptions(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (RunOpts, error) { - promptTOTP := chal.TOTP != nil - promptWebauthn := chal.WebauthnChallenge != nil - - // Does the current platform support hardware MFA? Adjust accordingly. - switch { - case !promptTOTP && promptWebauthn && !c.WebauthnSupported: - return RunOpts{}, trace.BadParameter("hardware device MFA not supported by your platform, please register an OTP device") - case !c.WebauthnSupported: - // Do not prompt for hardware devices, it won't work. - promptWebauthn = false - } - - // Tweak enabled/disabled methods according to opts. - switch { - case promptTOTP && c.PreferOTP: - promptWebauthn = false - case promptWebauthn && c.AuthenticatorAttachment != wancli.AttachmentAuto: - // Prefer Webauthn if an specific attachment was requested. - promptTOTP = false - case promptWebauthn && !c.AllowStdinHijack: - // Use strongest auth if hijack is not allowed. - promptTOTP = false - } - - return RunOpts{promptTOTP, promptWebauthn}, nil -} - func (c PromptConfig) GetWebauthnOrigin() string { if !strings.HasPrefix(c.ProxyAddress, "https://") { return "https://" + c.ProxyAddress diff --git a/lib/teleterm/clusters/storage.go b/lib/teleterm/clusters/storage.go index 2be5817012fcf..79e6f63f57a0d 100644 --- a/lib/teleterm/clusters/storage.go +++ b/lib/teleterm/clusters/storage.go @@ -285,17 +285,6 @@ func (s *Storage) makeDefaultClientConfig(rootClusterURI uri.ResourceURI) *clien cfg.InsecureSkipVerify = s.InsecureSkipVerify cfg.AddKeysToAgent = s.AddKeysToAgent cfg.WebauthnLogin = s.WebauthnLogin - // Set AllowStdinHijack to true to enable daemon.mfaPrompt to ask for both TOTP and Webauthn at - // the same time if available. - // - // tsh sets AllowStdinHijack to true only during tsh login to avoid input swallowing bugs where - // calling a command would prompt for MFA and then expect some further data through stdin. tsh - // login does not ask for any further input after the MFA prompt. - // - // Since tsh daemon ran by Connect never expects data over stdin, it can always set this flag to - // true. - cfg.AllowStdinHijack = true - cfg.CustomHardwareKeyPrompt = s.HardwareKeyPromptConstructor(rootClusterURI) cfg.DTAuthnRunCeremony = dtauthn.NewCeremony().Run cfg.DTAutoEnroll = dtenroll.AutoEnroll diff --git a/lib/teleterm/daemon/mfaprompt.go b/lib/teleterm/daemon/mfaprompt.go index 81f53b9ab8004..a40d02130033b 100644 --- a/lib/teleterm/daemon/mfaprompt.go +++ b/lib/teleterm/daemon/mfaprompt.go @@ -73,13 +73,11 @@ func (s *Service) promptAppMFA(ctx context.Context, in *api.PromptMFARequest) (* // Run prompts the user to complete an MFA authentication challenge. func (p *mfaPrompt) Run(ctx context.Context, chal *proto.MFAAuthenticateChallenge) (*proto.MFAAuthenticateResponse, error) { - runOpts, err := p.cfg.GetRunOptions(ctx, chal) - if err != nil { - return nil, trace.Wrap(err) - } + promptOTP := chal.TOTP != nil + promptWebauthn := chal.WebauthnChallenge != nil && p.cfg.WebauthnSupported // No prompt to run, no-op. - if !runOpts.PromptTOTP && !runOpts.PromptWebauthn { + if !promptOTP && !promptWebauthn { return &proto.MFAAuthenticateResponse{}, nil } @@ -92,7 +90,7 @@ func (p *mfaPrompt) Run(ctx context.Context, chal *proto.MFAAuthenticateChalleng go func() { defer wg.Done() - resp, err := p.promptMFA(ctx, runOpts) + resp, err := p.promptMFA(ctx, promptOTP, promptWebauthn) respC <- libmfa.MFAGoroutineResponse{Resp: resp, Err: err} // If the user closes the modal in the Electron app, we need to be able to cancel the other @@ -103,7 +101,7 @@ func (p *mfaPrompt) Run(ctx context.Context, chal *proto.MFAAuthenticateChalleng }() // Fire Webauthn goroutine. - if runOpts.PromptWebauthn { + if promptWebauthn { wg.Add(1) go func() { defer wg.Done() @@ -128,12 +126,12 @@ func (p *mfaPrompt) promptWebauthn(ctx context.Context, chal *proto.MFAAuthentic return resp, nil } -func (p *mfaPrompt) promptMFA(ctx context.Context, runOpts libmfa.RunOpts) (*proto.MFAAuthenticateResponse, error) { +func (p *mfaPrompt) promptMFA(ctx context.Context, promptOTP, promptWebauthn bool) (*proto.MFAAuthenticateResponse, error) { resp, err := p.promptAppMFA(ctx, &api.PromptMFARequest{ ClusterUri: p.resourceURI.GetClusterURI().String(), Reason: p.cfg.PromptReason, - Totp: runOpts.PromptTOTP, - Webauthn: runOpts.PromptWebauthn, + Totp: promptOTP, + Webauthn: promptWebauthn, }) if err != nil { return nil, trail.FromGRPC(err) diff --git a/web/packages/teleterm/src/ui/ModalsHost/modals/ReAuthenticate/ReAuthenticate.tsx b/web/packages/teleterm/src/ui/ModalsHost/modals/ReAuthenticate/ReAuthenticate.tsx index aa8386031fed7..456b5a2bd494a 100644 --- a/web/packages/teleterm/src/ui/ModalsHost/modals/ReAuthenticate/ReAuthenticate.tsx +++ b/web/packages/teleterm/src/ui/ModalsHost/modals/ReAuthenticate/ReAuthenticate.tsx @@ -61,14 +61,6 @@ export const ReAuthenticate: FC<{ const logger = useLogger('ReAuthenticate'); const { promptMfaRequest: req } = props; - // TODO(ravicious): At the moment it doesn't seem like it's possible for both Webauthn and TOTP to - // be available at the same time (see lib/client/mfa.PromptConfig/GetRunOptions). Whenever both - // Webauthn and TOTP are supported, Webauthn is preferred. Well, unless AllowStdinHijack is - // specified, but lib/teleterm doesn't do this and AllowStdinHijack has a scary comment next to it - // telling you not to use it. - // - // Alas, the data structure certainly allows for this so the modal was designed with supporting - // such scenario in mind. const availableMfaTypes: MfaType[] = []; // Add Webauthn first to prioritize it if both Webauthn and TOTP are available. if (req.webauthn) {