Per-session MFA
Teleport supports requiring additional multi-factor authentication checks when starting new:
- SSH connections (a single
tsh sshcall, Web UI SSH session or Teleport Connect SSH session)
- Kubernetes sessions (a single
kubectlcall)
- Database sessions (a single
tsh db connectcall)
- Application sessions
- Desktop sessions
This is an advanced security feature that protects users against compromises of their on-disk Teleport certificates.
In addition to per-session MFA, enable login MFA in your SSO provider and/or for all local Teleport users to improve security.
Prerequisites
-
A running Teleport cluster version 17.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctland
tshclients.
Installing
tctland
tshclients
- Mac
- Windows - Powershell
- Linux
Download the signed macOS .pkg installer for Teleport, which includes the
tctland
tshclients:curl -O https://cdn.teleport.dev/teleport-17.0.0-dev.pkg
In Finder double-click the
pkgfile to begin installation.danger
Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.curl.exe -O https://cdn.teleport.dev/teleport-v17.0.0-dev-windows-amd64-bin.zip
Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
All of the Teleport binaries in Linux installations include the
tctland
tshclients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.curl -O https://cdn.teleport.dev/teleport-v17.0.0-dev-linux-amd64-bin.tar.gztar -xzf teleport-v17.0.0-dev-linux-amd64-bin.tar.gzcd teleportsudo ./install
Teleport binaries have been copied to /usr/local/bin
The
tctland
tshclients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at
/v1/webapi/pingand use a JSON query tool to obtain your cluster version:curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version'17.0.0-dev
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] to your Teleport username:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
Cluster teleport.example.com
Version 17.0.0-dev
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
- WebAuthn configured on this cluster
- Hardware device for multi-factor authentication, such as YubiKey or SoloKey
- A Web browser with WebAuthn support (if using SSH or desktop sessions from the Teleport Web UI).
Teleport FIPS builds disable local users. To configure WebAuthn in order to use
per-session MFA with FIPS builds, provide the following in your
teleport.yaml:
teleport:
auth_service:
local_auth: false
second_factors: ["webauthn"]
webauthn:
rp_id: teleport.example.com
Configure per-session MFA
Per-session MFA can be enforced cluster-wide or only for some specific roles.
Cluster-wide
To enforce MFA checks for all roles, edit your cluster authentication configuration.
Edit your
cluster_auth_preference resource:
tctl edit cap
Ensure that the resource contains the following content:
kind: cluster_auth_preference
metadata:
name: cluster-auth-preference
spec:
require_session_mfa: true
version: v2
Apply your changes by saving and closing the file in your editor.
Per role
To enforce MFA checks for a specific role, update the role to contain:
kind: role
version: v7
metadata:
name: example-role-with-mfa
spec:
options:
# require per-session MFA for this role
require_session_mfa: true
allow:
...
deny:
...
Role-specific enforcement only applies when accessing resources matching a
role's
allow section.
Roles example
Let's walk through an example of setting up per-session MFA checks for roles.
Jerry is an engineer with access to the company infrastructure. The infrastructure is split into development and production environments. Security engineer Olga wants to enforce MFA checks for accessing production servers. Development servers don't require this to reduce engineers' friction.
Olga defines two Teleport roles:
access-dev and
access-prod:
# access-dev.yaml
kind: role
version: v7
metadata:
name: access-dev
spec:
allow:
node_labels:
env: dev
logins:
- jerry
---
# access-prod.yaml
kind: role
version: v7
metadata:
name: access-prod
spec:
options:
# require per-session MFA for production access
require_session_mfa: true
allow:
node_labels:
env: prod
logins:
- jerry
deny: {}
Olga then assigns both roles to all engineers, including Jerry.
When Jerry logs into node
dev1.example.com (with label
env: dev as login
jerry), nothing
special happens:
But when Jerry logs into node
rod3.example.com (with label
env: prod as login
jerry), he
gets prompted for an MFA check:
If you are using
tsh in a constrained environment, you can tell it to use
OTP by doing
tsh --mfa-mode=otp ssh prod3.example.com.
OTP can only be used with per-session MFA when using
tsh or Teleport Connect to
establish connections. A hardware MFA key is required for using per-session
MFA with Teleport's Web UI.
If per-session MFA was enabled cluster-wide, Jerry would be prompted for MFA
even when logging into
dev1.example.com.
The Teleport Database Service supports per-connection MFA. When Jerry connects
to the database
prod-mysql-instance (with label
env: prod), he gets prompted
for an MFA check for each
tsh db connect or
tsh proxy db call:
tsh db connect prod-mysql-instance
Tap any security key
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10002
Server version: 8.0.0-Teleport (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
Jerry can also execute a query against multiple databases with a single MFA check
using the
tsh db exec command:
tsh db exec "select 1" --labels env=prod --db-user teleport-user --output-dir=logsSearching databases ...Found 2 database(s):
Name Description Protocol Labels--------------------- ----------- -------- --------prod-mysql-instance-1 mysql env=prodprod-mysql-instance-2 mysql env=prod
Do you want to proceed with 2 database(s)? [y/N]: yExecuting command for "prod-mysql-instance-1". Output will be saved at "logs/prod-mysql-instance-1.output".MFA is required to access Database "prod-mysql-instance-1"Tap any security keyDetected security key tapExecuting command for "prod-mysql-instance-2". Output will be saved at "logs/prod-mysql-instance-2.output".
Summary: 2 of 2 succeeded.Summary is saved at "logs/summary.json".
Note that each MFA check remains valid for up to 5 minutes. After the 5-minutes window, a new MFA check will be requested for new connections.
Limitations
Current limitations for this feature are:
- For SSH connections besides the Web UI, the
tshor Teleport Connect client must be used for per-session MFA. (The OpenSSH
sshclient does not work with per-session MFA).
- Only
kubectlsupports per-session WebAuthn authentication for Kubernetes.
- For desktop access, only WebAuthn devices are supported.
- When accessing a multi-port TCP application through VNet, the first connection over each port triggers an MFA check.
- For the
tsh db execcommand, only WebAuthn devices are supported.