Add draft for RFD/0090 - DB MFA Sessions#16739
Conversation
Remove extra line breaks
| ## Details | ||
| When per-session-MFA is enabled, we should not restrict database cert TTL to 1 minute. | ||
|
|
||
| Instead, database cert TTL should be restricted to `max_session_ttl`, and the cert |
There was a problem hiding this comment.
I think that using current default behavior where cert expiration time is set based on max_session_ttl is reasonable. Alternatively the DB MFA certs expiration time can be unset allowing to run tsh proxy db forever without second MFA prompt though we will ignore basic teleport cluster restriction in this case.
There was a problem hiding this comment.
max_session_ttl allows the user to change it as they like, although we have a maximum cert duration limit of 30 hours (defined in api/defaults/defaults.go). As long as it isn't excessively asking for MFA, I think that's fine.
I'm more concerned about how the user will be notified of the prompt, since the proxy just runs as a foreground terminal process. My yubikey blinks green when it's ready for a tap, so this hasn't been an issue for me, but whether the user gets a system notification or just a line printed in the terminal with no notification I think is up to their personal system's configuration. I think TeleportConnect will solve this? @ravicious
There was a problem hiding this comment.
Yes, in Connect when the tsh daemon process becomes aware of this, it can notify the Electron app about it and then the app can just bring its window to the top. This is how we decided to solve it for now, not only for per session MFA but also for things like trying to connect to a proxy after your cert has expired.
xinding33
left a comment
xinding33
left a comment
There was a problem hiding this comment.
This is a clear improvement to user experience so no objections from me. The biggest open question is definitely security, so as long as the platform security team is ok with the changes, then I'm a +1.
|
@r0mant @klizhentas can you guys take a look? Marek suggested I put you two down as required approvers. |
* mention that we will disable commands that save certs to disk when per-session-mfa is required
|
See also #7568 which is a similar request but for k8s sessions instead of DB sessions. |
While it is a similar request, we don't have an equivalent to |
7 participants
This RFD describes changes proposed to support per-session-mfa support with
tsh proxy db --tunnel(which is necessary for use with GUI clients, so effectively this RFD is to support per-session-mfa with GUI clients).Relevant issue: #12538