TSH login doesn't work with Apple TouchID

[james-ryans]

I've followed this guide https://goteleport.com/docs/access-controls/guides/passwordless/#touch-id-not-usable but doesn't work as well.

I'm currently using Macbook Pro M1 with macOS Monterey version 12.5.1, I've made sure that the TSH v12.4.14 supports macOS v.12.5.1.

Below is my current teleport cluster auth preference config and how I ran the 'tsh' command, but nothing happened after the "Tap any security key" prompt appeared.

jamesryans@Jamess-MacBook-Pro /A/t/C/MacOS> tctl get cap
kind: cluster_auth_preference
metadata:
  id: xx
  labels:
    teleport.dev/origin: dynamic
  name: cluster-auth-preference
spec:
  allow_headless: true
  allow_local_auth: true
  allow_passwordless: true
  default_session_ttl: 12h0m0s
  disconnect_expired_cert: false
  idp:
    saml:
      enabled: true
  locking_mode: best_effort
  second_factor: "on"
  type: local
  webauthn:
    rp_id: xxx.teleport.sh
version: v2
jamesryans@Jamess-MacBook-Pro /A/t/C/MacOS> tsh version
Teleport v12.4.14 git:v12.4.14-0-g50daf82 go1.20.7
jamesryans@Jamess-MacBook-Pro /A/t/C/MacOS> tsh touchid diag
Has compile support? true
Has signature? true
Has entitlements? true
Passed LAPolicy test? true
Passed Secure Enclave test? true
Touch ID enabled? true
jamesryans@Jamess-MacBook-Pro /A/t/C/MacOS> tsh mfa add --proxy=xxx.teleport.sh:443 [email protected]
Choose device type [TOTP, WEBAUTHN, TOUCHID]: TOUCHID
Enter device name: james-work-macbook
Enter password for Teleport user [email protected]:
Tap any security key

Meanwhile, I was able to login to teleport dashboard using my TouchID.

[webvictim]

Touch ID in the browser and Touch ID at the command line have an enforced separation where they're treated as totally independent credentials and one can't be read by the other, unfortunately. This is a MacOS limitation/security restriction. As such, you can't use browser-based Touch ID to authenticate and add CLI-based Touch ID.

Here's a workaround:

• log into the web UI using your browser-based Touch ID
• go to Account Settings at the top right and click "Add Two-Factor Device"
• authenticate with your existing browser-based Touch ID
• choose another second factor to add which is not Touch ID, i.e. scan the QR code with an app for TOTP, or use a hardware security key like a Yubikey if you have one available
• once this is complete, go to the command line and use your newly-added second factor to set up CLI-based Touch ID
  • tsh mfa add --proxy=xxx.teleport.sh:443 [email protected] --type TOUCHID --mfa-mode otp

You can then remove the TOTP second factor once the CLI-based touch ID is added.

[lhjt]

Would you be able to confirm if this only works if the auth connectorName is set to local and not passwordless? My helm values contain:

authentication:
  type: local
  connectorName: passwordless

I enabled TOTP as a 2nd factor in the web interface and tried running your suggested command to add TOUCHID as a MFA type for my teleport account.

This still results in the following log output:

<omitted>
2023-09-08T18:00:08+10:00 DEBU             FIDO2: Using libfido2 for assertion webauthncli/api.go:171
2023-09-08T18:00:08+10:00 DEBU             FIDO2: assertion: passwordless=true, uv=true, 0 allowed credentials webauthncli/fido2.go:119
Tap your security key

[webvictim]

Is your laptop open (so the Touch ID sensor is active) and do you have the correct signed tsh binary from https://goteleport.com/download/?

If you can share the output of tsh touchid diag and tsh mfa ls that'd help.

[lhjt]

Apologies for the delay. I do not remember the specifics of this problem as I ended up allowing password authentication to get this to work. Still, I'll add more information again if I set up a new blank teleport cluster. My tsh touchid diag output was the same as what James provided. I also believe I did have the signed binary.

[james-ryans]

It doesn't work as well.. I've created another TOTP second factor

jamesryans@Jamess-MacBook-Pro ~> tsh login --proxy=xxx.teleport.sh:443 [email protected]
Enter password for Teleport user [email protected]:
Tap any security key or enter a code from a OTP device
> Profile URL:        https://xxx.teleport.sh:443
  Logged in as:       [email protected]
  Cluster:            xxx.teleport.sh
  Roles:              access, auditor, editor
  Logins:             root
  Kubernetes:         enabled
  Valid until:        2023-08-18 20:21:03 +0700 WIB [valid for 12h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

Did you know? Teleport Connect offers the power of tsh in a desktop app.
Learn more at https://goteleport.com/docs/connect-your-client/teleport-connect/

jamesryans@Jamess-MacBook-Pro ~> tsh touchid diag
Has compile support? true
Has signature? true
Has entitlements? true
Passed LAPolicy test? true
Passed Secure Enclave test? true
Touch ID enabled? true
jamesryans@Jamess-MacBook-Pro ~> tsh mfa add --proxy=xxx.teleport.sh:443 [email protected] --type TOUCHID
Enter device name: cli-work-macbook
Tap any *registered* security key
912688

[webvictim]

Try tsh mfa add --proxy=xxx.teleport.sh:443 [email protected] --type TOUCHID --mfa-mode otp

[james-ryans]

Now its working! Thanks.

jamesryans@Jamess-MacBook-Pro ~> tsh mfa add --proxy=xxx.teleport.sh:443 [email protected] --type TOUCHID --mfa-mode otp
Enter device name: cli-work-macbook
Enter an OTP code from a *registered* device:
Using platform authenticator, follow the OS prompt
MFA device "cli-work-macbook" added.
jamesryans@Jamess-MacBook-Pro ~> tsh logout
Logged out all users from all proxies.
jamesryans@Jamess-MacBook-Pro ~> tsh login --proxy=xxx.teleport.sh:443 [email protected]
Using platform authenticator, follow the OS prompt
> Profile URL:        https://xxx.teleport.sh:443
  Logged in as:       [email protected]
  Cluster:            xxx.teleport.sh
  Roles:              access, auditor, editor
  Logins:             root
  Kubernetes:         enabled
  Valid until:        2023-08-18 22:18:25 +0700 WIB [valid for 12h0m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

Did you know? Teleport Connect offers the power of tsh in a desktop app.
Learn more at https://goteleport.com/docs/connect-your-client/teleport-connect/

[james-ryans]

Is there another workaround for this solution? We need to avoid TOTP second factor and the hardware security key not feasible for us.

[webvictim]

Unfortunately not at the moment. You can remove the TOTP second factor once you have both browser- and CLI-based Touch ID set up if you want.

[james-ryans]

I see, thanks for the help.

[nooop3]

or use the Yubikey