Skip to content

Users able to generate identity certs that exceed role-specific max_session_ttl #7712

New issue
New issue
Open
Open
Users able to generate identity certs that exceed role-specific max_session_ttl#7712

Description

@deusxanima

deusxanima
openedon Jul 27, 2021

Description

What happened:
After logging into teleport with a role that has a max_session_ttl set to 8hr, I was able to generate a certificate that would be valid up to 30hrs.

What you expected to happen:
Expected behavior is that the ability to generate an identity cert should be limited to the max_session_ttl for the roles assumed by the user.

Reproduction Steps

As minimally and precisely as possible, describe step-by-step how to reproduce the problem.

  1. Create user with only a single role
  2. Set max_session_ttl to 8hr0m0s
  3. Export an identity cert that's longer than 8hrs with tsh login --auth=sso --out=test --ttl=1800

Server Details

  • Teleport version (run teleport version): 6.2.5

Client Details

  • Tsh version (tsh version): 6.2.5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    bugrbacIssues related to Role Based Access Controlregression

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions