Skip to content

per-session MFA fails with SSO user #48328

New issue
New issue
Open
Open
per-session MFA fails with SSO user#48328

Description

@GavinFrazar

GavinFrazar
openedon Nov 1, 2024

Expected behavior:

tsh db connect --db-user="teleport-admin" --db-name="postgres" self-hosted-postgres

should prompt for MFA
OR tell me that I need to register MFA if I don't have one registered

Current behavior:

$ ~/testplan/tsh db login self-hosted-postgres --db-user=teleport-admin --db-name=postgres
MFA is required to access Database "self-hosted-postgres"
ERROR: unknown or missing MFAAuthenticateResponse type <nil>

I finally realized this is because I logged in as an SSO user via a saml connector, and I had never run tsh mfa add as that user.
The error message doesn't tell me that I have no mfa device registered, so as a user I have no idea what I need to do based on this error message.

Bug details:

  • Teleport version: v17.0.0-alpha.2
  • Recreation steps:
  1. enable per session mfa
  2. login as some SSO user without mfa configured on tsh
  3. try to connect to a database
  • Debug logs:
$ tsh db connect --db-user="teleport-admin" --db-name="postgres" self-hosted-postgres --debug
2024-11-01T14:44:55-07:00 INFO [CLIENT]    ALPN connection upgrade required for "beta.devteleport.com:443": false. client/api.go:863
2024-11-01T14:44:55-07:00 INFO [CLIENT]    no host login given. defaulting to gavin client/api.go:1207
2024-11-01T14:44:55-07:00 INFO [CLIENT]    [KEY AGENT] Connected to the system agent: "/var/folders/q6/zdn14y5n5554fp957cjqfttm0000gn/T//ssh-fnyAOIz9AbnY/agent.25695" client/api.go:4656
2024-11-01T14:44:55-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:55-07:00 INFO [KEYAGENT]  Loading SSH key for user "gavin.frazar@goteleport.com" and cluster "beta.devteleport.com". client/keyagent.go:198
2024-11-01T14:44:55-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:55-07:00 DEBU [TSH]       Listing databases with predicate ((name == "self-hosted-postgres") || (labels["teleport.internal/discovered-name"] == "self-hosted-postgres")) and labels map[] common/db.go:1158
2024-11-01T14:44:55-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:55-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:55-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:55-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:55-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [TSH]       Selected database "self-hosted-postgres" by exact name match common/db.go:1056
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [TSH]       Starting local proxy tunnel because: MFA is required to connect to the database common/db.go:614
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [TSH]       /opt/homebrew/bin/psql postgres://teleport-admin@localhost:54257/postgres common/db.go:796
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
2024-11-01T14:44:56-07:00 DEBU [KEYSTORE]  Teleport TLS certificate valid until "2024-11-02 09:44:18 +0000 UTC". client/client_store.go:123
MFA is required to access Database "self-hosted-postgres"
2024-11-01T14:44:57-07:00 DEBU [CLIENT]    Issuing single-use certificate from unary GenerateUserCerts client/cluster_client.go:689
2024-11-01T14:44:57-07:00 ERRO [TSH]       Failed to start local proxy error:[
ERROR REPORT:
Original Error: *interceptors.RemoteError unknown or missing MFAAuthenticateResponse type &lt;nil&gt;
Stack Trace:
	github.com/gravitational/teleport/api@v0.0.0/client/client.go:1079 github.com/gravitational/teleport/api/client.(*Client).GenerateUserCerts
	github.com/gravitational/teleport/lib/client/cluster_client.go:690 github.com/gravitational/teleport/lib/client.PerformSessionMFACeremony
	github.com/gravitational/teleport/lib/client/cluster_client.go:455 github.com/gravitational/teleport/lib/client.(*ClusterClient).performSessionMFACeremony
	github.com/gravitational/teleport/lib/client/cluster_client.go:570 github.com/gravitational/teleport/lib/client.(*ClusterClient).IssueUserCertsWithMFA
	github.com/gravitational/teleport/lib/client/local_proxy_middleware.go:237 github.com/gravitational/teleport/lib/client.(*DBCertIssuer).IssueCert.func1
	github.com/gravitational/teleport/lib/client/api.go:629 github.com/gravitational/teleport/lib/client.RetryWithRelogin
	github.com/gravitational/teleport/lib/client/local_proxy_middleware.go:218 github.com/gravitational/teleport/lib/client.(*DBCertIssuer).IssueCert
	github.com/gravitational/teleport/lib/client/local_proxy_middleware.go:153 github.com/gravitational/teleport/lib/client.(*CertChecker).GetOrIssueCert
	github.com/gravitational/teleport/lib/client/local_proxy_middleware.go:127 github.com/gravitational/teleport/lib/client.(*CertChecker).OnStart
	github.com/gravitational/teleport/lib/srv/alpnproxy/local_proxy.go:169 github.com/gravitational/teleport/lib/srv/alpnproxy.(*LocalProxy).Start
	github.com/gravitational/teleport/tool/tsh/common/db.go:642 github.com/gravitational/teleport/tool/tsh/common.maybeStartLocalProxy.func1
	runtime/asm_arm64.s:1223 runtime.goexit
User Message: unknown or missing MFAAuthenticateResponse type &lt;nil&gt;] common/db.go:643
psql: error: connection to server at "localhost" (::1), port 54257 failed: Connection refused
	Is the server running on that host and accepting TCP/IP connections?
connection to server at "localhost" (127.0.0.1), port 54257 failed: server closed the connection unexpectedly
	This probably means the server terminated abnormally
	before or while processing the request.

ERROR REPORT:
Original Error: *exec.ExitError exit status 2
Stack Trace:
	github.com/gravitational/teleport/lib/client/db/dbcmd/error.go:58 github.com/gravitational/teleport/lib/client/db/dbcmd.ConvertCommandError
	github.com/gravitational/teleport/tool/tsh/common/db.go:809 github.com/gravitational/teleport/tool/tsh/common.onDatabaseConnect
	github.com/gravitational/teleport/tool/tsh/common/tsh.go:1544 github.com/gravitational/teleport/tool/tsh/common.Run
	github.com/gravitational/teleport/tool/tsh/common/tsh.go:624 github.com/gravitational/teleport/tool/tsh/common.Main
	github.com/gravitational/teleport/tool/tsh/main.go:26 main.main
	runtime/proc.go:272 runtime.main
	runtime/asm_arm64.s:1223 runtime.goexit
User Message: exit status 2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    bugdatabase-accessDatabase access related issues and PRserror-msgImproving customer facing error messages.mfaIssues related to Multi Factor Authenticationtest-plan-problemIssues which have been surfaced by running the manual release test plantshtsh - Teleport's command line tool for logging into nodes running Teleport.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions