Meet us at KubeCon + CloudNativeCon: Paris, France - March 19
Book Demo
Teleport logoTry For Free
Fork me on GitHub

Teleport

MFA for Administrative Actions

  • Available for:
  • OpenSource
  • Enterprise
  • Cloud

Teleport can be configured to require additional multi-factor authentication checks to perform administrative actions through tctl, tsh, the Web UI, Teleport Connect, and any other Teleport client.

Examples of administrative actions include, but are not limited to:

  • Resetting or recovering user accounts
  • Inviting new users
  • Updating cluster configuration resources
  • Modifying access management resources
  • Approving access requests
  • Generating new join tokens
  • Impersonation
  • Creating new bots for Machine ID

This is an advanced security feature that protects users against compromises of their on-disk Teleport certificates.

When MFA for administrative actions is enabled, user certificates produced with tctl auth sign will no longer be suitable for automation due to the additional MFA checks.

We recommend using Machine ID to issue certificates for automated workflows, which uses role impersonation that is not subject to MFA checks.

Certificates produced with tctl auth sign directly on an Auth Service instance using the super-admin role are not subject to MFA checks to support legacy self-hosted setups.

Prerequisites

  • A running Teleport cluster. For details on how to set this up, see the Getting Started guide.

  • The tctl admin tool and tsh client tool version >= 15.1.1.

    See Installation for details.

To check version information, run the tctl version and tsh version commands. For example:

tctl version

Teleport v15.1.1 git:api/14.0.0-gd1e081e go1.21

tsh version

Teleport v15.1.1 go1.21

Proxy version: 15.1.1Proxy: teleport.example.com
  • A Teleport Team account. If you don't have an account, sign up to begin your free trial.

  • The Enterprise tctl admin tool and tsh client tool, version >= 14.3.6.

    You can download these tools from the Cloud Downloads page.

To check version information, run the tctl version and tsh version commands. For example:

tctl version

Teleport Enterprise v14.3.6 git:api/14.0.0-gd1e081e go1.21

tsh version

Teleport v14.3.6 go1.21

Proxy version: 14.3.6Proxy: teleport.example.com
  • A running Teleport Enterprise cluster. For details on how to set this up, see the Enterprise Getting Started guide.

  • The Enterprise tctl admin tool and tsh client tool version >= 15.1.1.

    You can download these tools by visiting your Teleport account workspace.

To check version information, run the tctl version and tsh version commands. For example:

tctl version

Teleport Enterprise v15.1.1 git:api/14.0.0-gd1e081e go1.21

tsh version

Teleport v15.1.1 go1.21

Proxy version: 15.1.1Proxy: teleport.example.com
  • A Teleport Enterprise Cloud account. If you don't have an account, sign up to begin a free trial of Teleport Team and upgrade to Teleport Enterprise Cloud.

  • The Enterprise tctl admin tool and tsh client tool version >= 14.3.6.

    You can download these tools from the Cloud Downloads page.

To check version information, run the tctl version and tsh version commands. For example:

tctl version

Teleport Enterprise v14.3.6 git:api/14.0.0-gd1e081e go1.21

tsh version

Teleport v14.3.6 go1.21

Proxy version: 14.3.6Proxy: teleport.example.com
  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. tctl is supported on macOS and Linux machines. For example:
    tsh login --proxy=teleport.example.com --user=[email protected]
    tctl status

    Cluster teleport.example.com

    Version 15.1.1

    CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678

    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.
  • WebAuthn configured on this cluster
  • Second factor hardware device, such as YubiKey or SoloKey
  • A Web browser with WebAuthn support (if using SSH or desktop sessions from the Teleport Web UI).

Require MFA for administrative actions

MFA for administrative actions is automatically enforced for clusters where WebAuthn is the only form of second factor allowed.

In a future major version, Teleport may enforce MFA for administrative actions for a wider range of cluster configurations.

Edit the cluster_auth_preference resource:

tctl edit cap

Update the cluster_auth_preference definition to include the following content:

kind: cluster_auth_preference
version: v2
metadata:
  name: cluster-auth-preference
spec:
  type: local
  # To make webauthn the only form of second factor allowed, set this field to 'webauthn'.
  second_factor: "webauthn"
  webauthn:
    rp_id: example.com

Save and exit the file. tctl will update the remote definition:

cluster auth preference has been updated

Edit the Auth Service's teleport.yaml file and restart all Auth Service instances:

# snippet from /etc/teleport.yaml:
auth_service:
  authentication:
    type: local
    # To make webauthn the only form of second factor allowed, set this field to 'webauthn'.
    second_factor: "webauthn"
    webauthn:
      rp_id: example.com