Add MFAVerificationInterval option for roles #45569
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AntonAM
added
tsh
AntonAM
requested review from
tigrato and
rosstimothy
and removed request for
hugoShaka and
capnspacehook
AntonAM
force-pushed
the
anton/min-adjust-ttl
branch
2 times, most recently
from
4f448ee to
5939d87
Compare
tigrato
approved these changes
Aug 20, 2024
| // tsh proxy * derivatives. | ||
| // It's only effective if the session requires MFA. | ||
| // If not set, defaults to `max_session_ttl`. | ||
| int64 MinMFAVerificationInterval = 30 [ |
There was a problem hiding this comment.
Now that Alan imported the gogo proto wrappers, can we use the google.protobuf.Duration instead of the typecast?
There was a problem hiding this comment.
I tried it and it didn't play well, we get a Duration struct that is not nice to use, not the durationpb one. So I think better keep the legacy approach with the typecast
There was a problem hiding this comment.
Did you include de std duration flag for gogo? It generates a time.Duration
There was a problem hiding this comment.
Yeah, I missed that. Now looks ok, changed 1fdb62b
rosstimothy
reviewed
Aug 20, 2024
AntonAM
force-pushed
the
anton/min-adjust-ttl
branch
2 times, most recently
from
290babe to
3155daa
Compare
tigrato
approved these changes
Aug 21, 2024
rosstimothy
changed the title
rosstimothy
approved these changes
Aug 21, 2024
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
AntonAM
added a commit
that referenced
this pull request
Aug 22, 2024
* add min mfa ttl * Fix missing import * Take into account cluster wide's requirement of per session MFA. * Add tests. * Protobufs update. * Rename minMFAVerificationInterval to MFAVerificationInterval * Use google.protobuf.Duration instead of casttype Duration. * Remove unnecessary types.NewDuration cast. * Update docs for mfaVerificationInterval. --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
AntonAM
added a commit
that referenced
this pull request
Aug 22, 2024
* add min mfa ttl * Fix missing import * Take into account cluster wide's requirement of per session MFA. * Add tests. * Protobufs update. * Rename minMFAVerificationInterval to MFAVerificationInterval * Use google.protobuf.Duration instead of casttype Duration. * Remove unnecessary types.NewDuration cast. * Update docs for mfaVerificationInterval. --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 22, 2024
* add min mfa ttl * Fix missing import * Take into account cluster wide's requirement of per session MFA. * Add tests. * Protobufs update. * Rename minMFAVerificationInterval to MFAVerificationInterval * Use google.protobuf.Duration instead of casttype Duration. * Remove unnecessary types.NewDuration cast. * Update docs for mfaVerificationInterval. --------- Co-authored-by: Tiago Silva <tiago.silva@goteleport.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a new option to the roles spec -MFAVerificationInterval (mostly implemented by @tigrato). It allows to set a limit on TTL of the local tsh proxy certificates. Currently they were issued for the whole duration of
max_session_ttlwhich sometimes could be too long and some clients wanted to be able to shorten that period. If the new options is set, proxy will try to reissue certificates more often requiring to provide MFA for reissuing, so effectively client can now freely select what length between MFA checks is allowed.Fixes: #36638
Changelog: Allow to limit duration of local tsh proxy certificates with a new MFAVerificationInterval option.