Skip to content

[v12] Error if users attempt to do tsh login --headless #30308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
codingllama merged 1 commit into from
Aug 12, 2023
Merged

[v12] Error if users attempt to do tsh login --headless #30308

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions api/constants/constants.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,12 @@ const (
OktaAssignmentTargetUnknown = "unknown"
)

// LocalConnectors are the system connectors that use local auth.
var LocalConnectors = []string{
LocalConnector,
PasswordlessConnector,
}

// SystemConnectors lists the names of the system-reserved connectors.
var SystemConnectors = []string{
LocalConnector,
Expand Down
5 changes: 3 additions & 2 deletions lib/client/api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3360,8 +3360,9 @@ func (tc *TeleportClient) getSSHLoginFunc(pr *webclient.PingResponse) (SSHLoginF
return tc.headlessLogin(ctx, priv)
}, nil
}
log.Debug("Headless login is disabled for this command. Only 'tsh ls', 'tsh ssh', and 'tsh scp' are supported. Defaulting to local authentication methods.")
fallthrough
return nil, trace.BadParameter("" +
"Headless login is not supported for this command. " +
"Only 'tsh ls', 'tsh ssh', and 'tsh scp' are supported.")
case constants.LocalConnector, "":
// if passwordless is enabled and there are passwordless credentials
// registered, we can try to go with passwordless login even though
Expand Down
23 changes: 7 additions & 16 deletions tool/tsh/tsh.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1667,23 +1667,14 @@ func onLogin(cf *CLIConf) error {
}
}

// If the cluster is using single-sign on, providing the user name
// with --user is likely a mistake, so display a warning.
if cf.Username != "" {
var displayIgnoreUserWarning = false
if cf.AuthConnector != "" && cf.AuthConnector != constants.LocalConnector && cf.AuthConnector != constants.PasswordlessConnector {
displayIgnoreUserWarning = true
} else if cf.AuthConnector == "" {
// Get the Ping so we check if the default Auth type is SSO
pr, err := tc.Ping(cf.Context)
if err != nil {
return trace.Wrap(err, "Teleport proxy not available at %s.", tc.WebProxyAddr)
}
if pr.Auth.Type != constants.LocalConnector && pr.Auth.Type != constants.PasswordlessConnector {
displayIgnoreUserWarning = true
}
// If the cluster is using single-sign on, providing the user name with --user
// is likely a mistake, so display a warning.
if cf.Username != "" && !slices.Contains(constants.LocalConnectors, cf.AuthConnector) {
pr, err := tc.Ping(cf.Context)
if err != nil {
return trace.Wrap(err, "Teleport proxy not available at %s.", tc.WebProxyAddr)
}
if displayIgnoreUserWarning {
if !slices.Contains(constants.LocalConnectors, pr.Auth.Type) {
fmt.Fprintf(os.Stderr, "WARNING: Ignoring Teleport user (%v) for Single Sign-On (SSO) login.\nProvide the user name during the SSO flow instead. Use --auth=local if you did not intend to login with SSO.\n", cf.Username)
}
}
Expand Down