Skip to content

fix an issue IsMFARequired returns false when database name does not match#60846

Merged
greedy52 merged 2 commits intomasterfrom
STeve/relax_mfa_check
Nov 10, 2025
Merged

fix an issue IsMFARequired returns false when database name does not match#60846
greedy52 merged 2 commits intomasterfrom
STeve/relax_mfa_check

Conversation

@greedy52
Copy link
Copy Markdown
Contributor

@greedy52 greedy52 commented Oct 30, 2025
edited
Loading

changelog: fix an issue Postgres database cannot be accessed via Teleport Connect when per-session MFA is enabled and the role does not have wildcard db_names

note that the fix is on Auth service

Before

Connect (good access):
no mfa prompt then
Screenshot 2025-10-31 at 1 28 50 PM

tsh (bad access):

# no MFA tap but shows access to db denied error
$ tsh db connect --db-user teleport-admin my-postgres-sales --db-name not-allowed
psql: error: connection to server at "localhost" (::1), port 60876 failed: Connection refused
	Is the server running on that host and accepting TCP/IP connections?
connection to server at "localhost" (127.0.0.1), port 60876 failed: access to db denied. User does not have permissions. Confirm database user and name.
ERROR: exit status 2

After

Connect (good access):
Screenshot 2025-10-31 at 1 43 56 PM
Screenshot 2025-10-31 at 1 44 05 PM

tsh (bad access):

# now must present MFA tap before observing the access denied error
$ tsh db connect --db-user teleport-admin my-postgres-sales --db-name not-allowed
MFA is required to access Database "my-postgres-sales"
Tap any security key
Detected security key tap
psql: error: connection to server at "localhost" (::1), port 62545 failed: Connection refused
	Is the server running on that host and accepting TCP/IP connections?
connection to server at "localhost" (127.0.0.1), port 62545 failed: access to db denied. User does not have permissions. Confirm database user and name.

@greedy52 greedy52 self-assigned this Oct 30, 2025
@greedy52 greedy52 force-pushed the STeve/relax_mfa_check branch from b589b51 to 6ded22c Compare October 30, 2025 20:43
@greedy52 greedy52 force-pushed the STeve/relax_mfa_check branch from 6ded22c to 2d6a0bc Compare October 31, 2025 17:41
@greedy52 greedy52 added database-access Database access related issues and PRs teleport-connect Issues related to Teleport Connect. labels Oct 31, 2025
@greedy52 greedy52 requested a review from ravicious October 31, 2025 17:46
@greedy52 greedy52 marked this pull request as ready for review October 31, 2025 17:46
@github-actions github-actions bot requested review from tcsc and timothyb89 October 31, 2025 17:46
@greedy52 greedy52 enabled auto-merge November 10, 2025 14:35
@greedy52 greedy52 added this pull request to the merge queue Nov 10, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Nov 10, 2025
@greedy52 greedy52 added this pull request to the merge queue Nov 10, 2025
Merged via the queue into master with commit 2f2d7b4 Nov 10, 2025
41 checks passed
@greedy52 greedy52 deleted the STeve/relax_mfa_check branch November 10, 2025 19:50
@backport-bot-workflows
Copy link
Copy Markdown
Contributor

backport-bot-workflows bot commented Nov 10, 2025

@greedy52 See the table below for backport results.

Branch Result
branch/v17 Create PR
branch/v18 Create PR

This was referenced Nov 12, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ravicious ravicious ravicious approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

@greedy52 greedy52

Labels

backport/branch/v17 backport/branch/v18 database-access Database access related issues and PRs size/sm teleport-connect Issues related to Teleport Connect.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@greedy52 @ravicious @rosstimothy @taraspos