Machine ID: Document 24h TTL limit and warn when exceeded (#44988)

This adds some notes to the Machine ID docs explaining that a TTL limit exists, and an explanation in the FAQ explaining why. It also adds a logged warning on bot startup if the TTL request exceeds the server limit. Fixes #44894
gravitational · Aug 2, 2024 · 85b9ff5 · 85b9ff5
1 parent 96de184
commit 85b9ff5
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/docs/pages/enroll-resources/machine-id/faq.mdx b/docs/pages/enroll-resources/machine-id/faq.mdx
@@ -69,4 +69,22 @@ credentials produced by Machine ID from being used to connect to resources.
 
 As a work-around, configure Device Trust enforcement on a role-by-role basis
 and ensure that it is not required for roles that you will impersonate using
-Machine ID.
+Machine ID.
+
+## Can Machine ID be used to generate long-lived certificates?
+
+Machine ID cannot currently be used to generate certificates valid for longer
+than 24 hours, and requests for longer certificates using the `certificate_ttl`
+parameter will be reduced to this 24 hour limit.
+
+This limit serves multiple purposes. For one, it encourages security best
+practices by only ever issuing very short lived certificates. Additionally, as
+Machine ID allows for certificate renewal, this limit helps to prevent further
+exploitation should a Machine ID identity be compromised: an attacker could use
+a stolen renewable certificate to request very long lived certificates and
+maintain access for a much longer period.
+
+If your use case absolutely requires long-lived certificates,
+[`tctl auth sign`](../../reference/cli/tctl.mdx#tctl-auth-sign) can
+alternatively be used, however this loses the security benefits of Machine ID's
+short-lived renewable certificates.
diff --git a/docs/pages/enroll-resources/machine-id/reference/configuration.mdx b/docs/pages/enroll-resources/machine-id/reference/configuration.mdx
@@ -49,6 +49,7 @@ proxy_server: "teleport.example.com:443" # or "example.teleport.sh:443" for Tele
 # certificate_ttl specifies how long certificates generated by `tbot` should
 # live for. It should be a positive, numeric value with an `m` (for minutes) or
 # `h` (for hours) suffix. By default, this value is `1h`.
+# This has a maximum value of `24h`.
 certificate_ttl: "1h"
 
 # renewal_interval specifies how often `tbot` should aim to renew the
@@ -703,7 +704,7 @@ appropriate.
 #### `directory`
 
 The `directory` destination type stores artifacts as files in a specified
-directory. 
+directory.
 
 ```yaml
 # type specifies the type of the destination. For the directory destination,

diff --git a/lib/tbot/config/config.go b/lib/tbot/config/config.go
@@ -445,6 +445,15 @@ func (conf *BotConfig) CheckAndSetDefaults() error {
 		)
 	}
 
+	if conf.CertificateTTL > defaults.MaxRenewableCertTTL {
+		log.WarnContext(
+			context.TODO(),
+			"Requested certificate TTL exceeds the maximum TTL allowed and will likely be reduced by the Teleport server",
+			"requested_ttl", conf.CertificateTTL,
+			"maximum_ttl", defaults.MaxRenewableCertTTL,
+		)
+	}
+
 	return nil
 }