Skip to main content

Session and Identity Locking

System administrators can disable a compromised user or Teleport agent—or prevent access during cluster maintenance—by placing a lock on a session, user or host identity.

Teleport will reject new API requests and terminate active connections to SSH, application, database, desktop, and Kubernetes sessions matching the lock's target.

A lock can target the following objects or attributes:

  • a Teleport user by the user's name
  • a Teleport RBAC role by the role's name
  • a Teleport trusted device by the device ID
  • an MFA device by the device's UUID
  • an OS/UNIX login
  • a Teleport agent by the agent's server UUID (effectively unregistering it from the cluster)
  • a Windows desktop by the desktop's name
  • an Access Request by UUID

Prerequisites

  • A running Teleport cluster version 17.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

  • The tctl admin tool and tsh client tool.

    Visit Installation for instructions on downloading tctl and tsh.

  • To check that you can connect to your Teleport cluster, sign in with tsh login, then verify that you can run tctl commands using your current credentials. For example:
    $ tsh login --proxy=teleport.example.com [email protected]
    $ tctl status
    # Cluster teleport.example.com
    # Version 17.0.0-dev
    # CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
    If you can connect to the cluster and run the tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Step 1/2. Create a lock

You can create a new lock with the tctl lock command. Specify the lock target with one of the following options:

$ tctl lock [email protected] --message="Suspicious activity." --ttl=10h
# Created a lock with name "dc7cee9d-fe5e-4534-a90d-db770f0234a1".
Troubleshooting: failed to create a lock?

If your user is missing a lock permission, you will get an error when creating a lock:

ERROR: access denied to perform action "create" on "lock"

Define a role locksmith:

kind: role
version: v5
metadata:
name: locksmith
spec:
allow:
rules:
- resources: [lock]
verbs: [list, create, read, update, delete]

Create the role:

$ tctl create -f locksmith.yaml
# role 'locksmith' has been created

Assign the locksmith role to your Teleport user by running the appropriate commands for your authentication provider:

  1. Retrieve your local user's roles as a comma-separated list:

    $ ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")')
  2. Edit your local user to add the new role:

    $ tctl users update $(tsh status -f json | jq -r '.active.username') \
    --set-roles "${ROLES?},locksmith"
  3. Sign out of the Teleport cluster and sign in again to assume the new role.

With a lock in force, all established connections involving the lock's target get terminated while any new requests are rejected.

Errors returned and warnings logged in this situation feature a message of the form:

lock targeting User:"[email protected]" is in force: Suspicious activity.
note

You can tweak the message returned to a user with --message parameter:

$ tctl lock [email protected] --message="Please come back tomorrow." --ttl=24h
Under the hood: Lock resource and expiration

Note that without specifying --ttl or --expires, the created lock remains in force until explicitly removed with tctl rm. Refer to tctl lock --help for the list of all supported parameters.

Under the hood, tctl lock creates a resource:

kind: lock
version: v2
metadata:
name: dc7cee9d-fe5e-4534-a90d-db770f0234a1
spec:
target:
user: [email protected]
message: "Suspicious activity."
expires: "2021-08-14T22:27:00Z" # RFC3339 format

The kind: lock resources can also be created and updated using tctl create as per usual. See the Admin Guide for more details.

Step 2/2. List and delete active locks

Use tctl get command to list all active locks:

$ tctl get locks

Delete a lock resource:

$ tctl rm locks/24679348-baff-4987-a2cd-e820ab7f9d2b
lock "24679348-baff-4987-a2cd-e820ab7f9d2b" has been deleted

Deleting a lock will allow new sessions or host connections.

Next steps: Locking modes

If a Teleport Node or Proxy Service cannot properly synchronize its local lock view with the backend, there is a decision to be made about whether to rely on the last known locks. This decision strategy is encoded as one of the two modes:

  • strict mode causes all interactions to be terminated when the locks are not guaranteed to be up to date
  • best_effort mode keeps relying on the most recent locks

The cluster-wide mode defaults to best_effort. You can set up the default locking mode via API or CLI using a cluster_auth_preference resource or static configuration file.

If your Auth Service configuration (/etc/teleport.yaml by default) contains an auth_service.authentication section, edit the Teleport configuration file to contain the following:

auth_service:
authentication:
locking_mode: best_effort

Restart or redeploy the Auth Service for the change to take effect.

If not, edit your cluster authentication preference resource:

$ tctl edit cap

Adjust the file in your editor to include the following:

kind: cluster_auth_preference
metadata:
name: cluster-auth-preference
spec:
locking_mode: best_effort
version: v2

Save and close your editor to apply your changes.

It is also possible to configure the locking mode for a particular role:

kind: role
version: v5
metadata:
name: example-role-with-strict-locking
spec:
options:
lock: strict

When none of the roles involved in an interaction specify the mode or when there is no user involved, the mode is taken from the cluster-wide setting.

With multiple potentially conflicting locking modes (the cluster-wide default and the individual per-role settings) a single occurrence of strict suffices for the local lock view to become evaluated strictly.