* Modifying db GUI guides to include pgAdmin Windows access and DBeaver MySQL access instructions
* Cert to Certificates to match screenshot
* Clearing up wording for readability and adding mysql.dbeaver_min_ver to config.json
Since #8176[1] landed, tsh login favors Webauthn challenges over U2F, a behavior
recommended to other clients as well (such as the Web UI). This creates a
problem: until the Webauthn implementation if proven in the wild, if there are
issues with it, then clients could consistently fail login.
This change introduces a fallback for disabling Webauthn regardless of the
cluster's second_factor:on or second_factor:optional setting. By stopping
challenge generation we automatically push clients over to U2F or TOTP as a
fallback, allowing breaking issues to be fixed without impact. (Note that using
second_factor:u2f as a fallback isn't always possible, since it disables OTP as
well.)
The added setting is meant as a safety switch - once Webauthn is proved in the
wild it is to be removed.
This affects both teleport.yaml and cloud resource configs.
teleport.yaml:
```yaml
auth_service:
authentication:
type: local
second_factor: on # or "optional"
u2f: {} # omitted
webauthn:
disabled: true
```
Resource configuration:
```yaml
kind: cluster_auth_preference
version: v2
spec:
type: local
second_factor: on
webauthn:
disabled: true
```
[1] https://github.com/gravitational/teleport/pull/8176
* Add global disable flag for Webauthn
* Generate protos
* Apply Webauthn global disable flag
In order to get better visibility into the backend database tests using
the standard Go tooling, this changeset ports the backend tests away
from `Check`, and into subtests & `testify` for assertions.
This change means that individual sub-tests
1. can be more easily identified in the json test logs, and
2. can be more easily run individually from the command line
During this port I also discovered that some tests are using the fake
clocks incorrectly, which may be a cause of some of our flaky etcd
tests.
* Define new rpc CreateAccountRecoveryCodes that
creates new recovery codes for users who meet requirements,
invalidating their previous existing codes
* Define new rpc GetAccountRecoveryToken that
validates and retrieves a recovery token
Implement the device polling loop for Webauthn devices and apply it to
tsh login.
A separate package, lib/auth/webauthncli, is introduced to hold client-focused
Webauthn logic. The separation highlights the distinction between server- and
client-side code and isolates client-side dependencies from the existing
lib/auth/webauthn.
Includes improved test coverage for TeleportClient.Login (local logins only) and
refactoring of existing code to support Webauthn challenges (PromptMFAChallenge
logic has less branching and U2F device loop extracted and refactored into
lib/auth/webauthncli).
In terms of device compatibility, this is identical to the existing U2F
solution- we are using the same underlying libraries and adapting the CTAP1
responses to Webauthn. This is easy to do and easy to reason about. I'm planning
for a native Webauthn solution, such as libfido2, but that is larger change that
doesn't seem to get us all the way to where we want for now (looking at you,
Touch ID).
* Add transformations and validations to lib/auth/webauthn
* Implement client-side Webauthn login
* Use RunOnU2FDevices in the lib/auth/u2f package
This one is optional: it cuts a bit of the codebase today, but one could
argue that it is safer to keep U2F untouched (up to the point where it
gets removed).
* Use CollectedClientData definition in lib/auth/mocku2f
* Fix data race on auth.Server clock usage
* Add direct test for TeleportClient.Login
* Reply to Webauthn challenges on `tsh login`
* Initial draft for the WebAuthn RFD
* Address review comments: wording and spelling
* Simplify configuration settings
* Make tsh rely on the /webapi/ping server version
* Add a section on user handles
* Add the Attestation section
* Add a references section
* Update tsh+WebAuthn with latest data
* Add detailed Touch ID sections
* Errata on App Attestation Service
It appears to only support iOS.
* Simplify config and expand on RPID and RPOrigin
* Only use attestation from U2F if all attestation keys are empty
* Add U2F phase out section
* Tweaks to names and messages to better match the codebase
* Mention cluster_auth_preference changes
* Define new rpc CompleteAccountRecovery, Step 3 in Account Recovery
after ApproveAccountReocvery. After success, users authn is changed
which allows a user to login with new credentials.
* Added a verifyMFARespAndAddDevice helper func to unify adding a
device through stream or by a user token.
* Define new RPC ApproveAccountRecovery Step 2 in Account Recovery after
StartAccountRecovery that after successful invocation produces
a recovery approved token that allows a user to change authn,
view/delete their MFA devices and get new recovery codes.
* Placed rate limit to this endpoint
* Added a verifyUserToken helper method that verifies
that a user token is not expired and is of the allowed subkinds.
* Require that public TLS and SSH keys are provided to register via token
The original behavior attempted to make providing public keys optional,
and would generate keys if they were not provided. This had several
problems:
- The auth server is generating private keys for nodes and is
potentially able to share them over the network.
- The return value for keys.Key would sometimes be set and sometimes
be empty (the key is only set if the auth server generated it and
knows what the key is)
- We only ever relied on this behavior as a shortcut in test code.
In the production code this behavior was never used (and actually
never worked due to a bug that would overwrite and discard the
generated private key)
This commit requires that public keys are always provided, ensuring
that the private key is generated locally and never known by the
auth server.
It also results in a cleaner error message when either or both of the
public keys are missing from the request.
* Address review comments
* Fix tests that relied on certs being generated
Go 1.17 (by default) disallows using ; as a separator. Our tests fail
on Go 1.17 with the following error. Since we only do this in test
code, it's easiest just to switch to & so we don't have a breakage
when we start compiling with 1.17.
See also: https://github.com/golang/go/issues/25192
Error:
2021/09/03 10:21:57 http: URL query contains semicolon, which is no longer a supported separator; parts of the query may be stripped when parsed; see golang.org/issue/25192
----------------------------------------------------------------------
FAIL: apiserver_test.go:473: WebSuite.TestSAMLSuccess
apiserver_test.go:524:
c.Assert(u.Scheme+"://"+u.Host+u.Path, Equals, fixtures.SAMLOktaSSO)
... obtained string = ":///web/msg/error/login"
... expected string = "https://dev-813354.oktapreview.com/app/gravitationaldev813354_teleportsaml_1/exkafftca6RqPVgyZ0h7/sso/saml"
In #7897 we started signing Windows builds by default, which requires
a signing certificate. This certificate is only available during tag
builds, so push builds now fail.
This modifies the `push-build-windows-amd64` job to use the
`release-windows-unsigned` Makefile step on push builds to fix the
job failure.
* Sign tsh.exe on tag builds
This adds a Makefile step to sign tsh.exe when the
`$WINDOWS_SIGNING_CERTIFICATE` env var is set to a base64-encoded
pkcs12 code signing certificate. The certificate must not be password
protected.
This includes a sample cert (`cert-dummy.pfx`) for CI pipeline
testing. It should be removed in any eventual PR, along with the
other modifications to the drone pipeline. The cert is imported into
the environment in the `Makefile` for testing purposes; in practice
it will be imported from a secure secret store (drone secrets, etc).
* Improve Windows code signing
- Split signing into a separate step; `release-windows-unsigned` now
performs the build, `release-windows` signs the binary.
- Require `release-windows` to successfully generate a signed
binary.
- Clearly mark unsigned binaries and archives as such.
- Guard against stdout secret leakage in Makefiles.
- Move temporary cert data from Makefile into dronegen to test
full pipeline.
* Use an invalid cert string for testing purposes.
* Pass certs to the build process via a statically named file
Signed Windows builds now depend on a `.gitignore`'d
`windows-signing-cert.pfx` at the root of the source directory. This
should ease testing and help avoid accidental secret leakage.
* Use production secret
* Remove windows-signing-cert.pfx before continuing to the next step
Additionally, fix variable reference as the bracket syntax does not
seem to play nice with Drone.
* Update .gitignore
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
* Generate Windows-compatible OpenSSH config in `tsh config`
This tweaks `tsh config` to generate OpenSSH config blocks compatible
with Windows. It works around several issues:
* Hosts must be translated from a full hostname (e.g.
`node.foo.example.com`) to a Teleport node name (`node`). On Unix
clients we can use a bash subshell snippet to extract the cluster
domain but this isn't possible on Windows. Instead, this adds a
hidden tsh subcommand (`tsh config-proxy`) to act as a
`ProxyCommand` that manipulates the strings as necessary.
* Windows does not have an ssh-agent enabled by default. This
configures `IdentityFile` and `CertificateFile` so no ssh-agent
is needed. This should also improve the experience for users
without a compatible ssh-agent (e.g. GNOME).
* Windows requires a full executable path in `ProxyCommand`
directives.
* Remove unnecessary conversion
* Use /usr/bin/ssh explicitly in `tsh config` template for Unix
* Remove special case for leaf clusters; always require a SiteName
* Apply suggestions from code review
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
* Pass through remote login name
This should improve compatibility with OIDC and other users with
federated Teleport usernames. The teleport proxy should always accept
a remote username for which the user's certificate is valid.
* Use `exec.LookPath` to resolve the ssh path
This prefers whichever `ssh` exists on the PATH for all OSes. After some
testing, Git for Windows SSH works just as well as Microsoft's, so we don't
need to overspecify things.
Also, quotes the tsh.exe path in generated config. Git for Windows' ssh
didn't autoescape the Windows paths.
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
Allow login using Webauthn instead of U2F.
Installs with second_factor:on will automatically support Webauthn, generating
challenges for any U2F devices and allowing Webauthn to be used throughout the
entire login process.
Web REST API modified as follows:
Added /webapi/mfa/login/begin (1st login step)
Added /webapi/mfa/login/finish (2nd login step, SSH)
Added /webapi/mfa/login/finishsession (2nd login step, web session)
U2F endpoints deprecated, but support full breadth of MFA login options
(/webapi/u2f/signrequest, /webapi/u2f/certs and /webapi/u2f/sessions,
respectively)
Auth REST API modified as follows:
Added /:version/mfa/users/:user/login/begin (1st login step)
ssh/authenticate and web/authenticate now support Webauthn (2nd login step)
U2F endpoints deprecated, but support full breadth of MFA options as well
(/:version/u2f/users/:user/sign)
RFD: https://github.com/gravitational/teleport/pull/7808.
* Plug Webauthn into MFAAuth protos
* Generate protos
* Make CredentialAssertionResponse json-friendly
* Add Webauthn proto conversions
* Wire Webauthn to auth apiserver
* Wire Webauthn login to web apiserver
* Wire Webauthn to web login
* Add missing license headers
* Delete login_identity_test.go
* Use previously acquired devices on mfaAuthChallenge
* Take U2F App ID literally if it's not a proper URL
* Add direct tests for auth.Server
* Use trace.BadParameter consistently
* Include user name in "failed to authenticate" logs
* Add more login-related tests to auth.Server
Presently, teleport start --bootstrap state.yaml fails due to incorrect
handling of JWT CAs, even when the data is generated using
tctl get all --with-secrets.
Fixes https://github.com/gravitational/teleport/issues/7853.
* Correctly validate JWT CertAuthorities on bootstrap
* Remove commented code
* Define new RPC StartAccountRecovery
* Placed rate limit to this endpoint
* Define new user token type `UserTokenTypeRecoveryStart`
that allows users to begin recovery process
* Added new field to UserTokenSpec, `UserTokenUsage` to
store data about how a user token will be used
* Cleanup docs on users and roles
- Updates roles to use v4
- Moves users to a separate guide
- Creates up to date reference for users and roles resources
* Update docs/pages/setup/reference/resources.mdx
Co-authored-by: Roman Tkachenko <roman@gravitational.com>
Co-authored-by: Roman Tkachenko <roman@gravitational.com>
Co-authored-by: Roman Tkachenko <roman@gravitational.com>
Adjust lib/auth/webauthn to correctly match Identity methods (interfaces
deviated a little during reviews) and make use of WebauthnLocalAuth to create
and record Webauthn user IDs.
* Adjust lib/auth/webauthn to Identity and configs
* Apply default Webauthn challenge timeout
* Create and make use of Webauthn ID
* Connect proxy <-> windows_desktop_service <-> RDP server
Link together the proxy (websocket), service (mTPS) and RDP client. Pass
target desktop UUID via SNI on the TLS connection from the proxy.
* Use client CAs to validate incoming desktop_service connections
* Send binary frames on desktop websocket
Move newly-added tests from gocheck to testing/require.
* Move newly-added Webauthn tests out of gocheck
* Use t.TempDir and t.Run
* Make use of newIdentityService in recently merged code
Introduce new make targets to check and add license headers to files
("make lint-license" and "make fix-license"). License checking is now a part of
"make lint" as well.
Initial attempts used goheader, but it caused "make lint-go" to become about 9x
slower (if not more), plus it only targets go files. Google's addlicense is fast
enough and targets however many file types we want.
Existing files that were missing licenses got the header added, using the
current year as the license date.
* Introduce lint-license and fix-license make targets
* Ignore generated files
* Add license to go files
* Replace irregular licenses with standard copyright/license
* Add license to proto files
* Install addlicense in build.assets Dockerfile
* Add withSecrets bool parameter to identity service GetMFADevices
that removes secret (totp key) if true
* Add web handlers for getting devices for authenticated users
* Fix data race with RecoveryAttemptsCRUD test
* Add dice-ware library to create the recovery codes
* Add new recovery code "generated" and "used" events
* Implement create, upsert, and get recovery codes
* Create ChangeUserAuthentication grpc endpoint that is essentially a rework
of ChangePasswordWithToken that returns both a web session and
recovery codes (if user meets requirement)
* Add custom rate limit for grpc endpoint for ChangeUserAuthentication
* This commit also includes unused methods related to verifying recovery
code and recovery attempts that isn't utilized until later PRs
WebAuthn recommends using a random user handle (aka user ID) in its protocol.
We are adding the user ID to LocalAuthSecrets (under Webauthn) and allowing it
to be updated and read, both through the user and independently.
The lib/auth/webauthn package is going to be responsible for assigning IDs to
users (and using them).
See https://www.w3.org/TR/webauthn-2/#sctn-user-handle-privacy.
WebAuthn Support RFD[1]
[1] https://github.com/gravitational/teleport/pull/7808
* Add Webauthn to LocalAuthSecrets
* Generate protos
* Add WebauthnLocalAuth persistence to Identity
Add the necessary logic to perform WebAuthn logins/authentication, including
both necessary steps (named "Begin" and "Finish" after the Duo Labs
API/reference implementation).
Note that the login logic is not yet wired to Teleport, that is to come in a
future PR.
Part of the WebAuthn Support[1] work.
[1] https://github.com/gravitational/teleport/pull/7808
* Vendor duo-labs/webauthn and fxamacker/cbor/v2
* Implement the first step of login
* Implement the second step of login
* Add WebAuthn support for mock U2F devices
* Add tests for the complete login flow
* Be explicit about the default attestation value
* Refactor "appid" into a constant
* Add missing license headers
WebAuthn configuration works as follows:
If there is an explicit WebAuthn config, use it
Otherwise, try to fallback to the U2F config, copying/deriving what we can from it
Falling back to U2F allows users to easily migrate to Webauthn (in fact, if second_factor is "on" then Webauthn takes over from U2F).
See the "UX and configuration"[1] section of the RFD for reference.
[1] 0fc785dbff/rfd/9999-webauthn-support.md (ux-and-configuration)
* Add protos for WebAuthn configuration
* Add validation for types.Webauthn
* Add Webauthn to FileConfig
* goimports api/types/authentication_authpreference_test.go
* Add missing license headers
