mfa: handle older servers during IsMFARequired RPC from tsh (#6039)

tsh should gracefully fall back to the old code path if the server is pre-6.0 and doesn't implement IsMFARequired.
gravitational · Mar 25, 2021 · 5d74465 · 5d74465
1 parent 853ff9c
commit 5d74465
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/lib/client/client.go b/lib/client/client.go
@@ -286,6 +286,15 @@ func (proxy *ProxyClient) IssueUserCertsWithMFA(ctx context.Context, params Reis
 	defer clt.Close()
 	requiredCheck, err := clt.IsMFARequired(ctx, params.isMFARequiredRequest(proxy.hostLogin))
 	if err != nil {
+		if status.Code(err) == codes.Unimplemented {
+			// Probably talking to an older server, use the old non-MFA endpoint.
+			log.WithError(err).Debug("Auth server does not implement IsMFARequired.")
+			// SSH certs can be used without reissuing.
+			if params.usage() == proto.UserCertsRequest_SSH {
+				return key, nil
+			}
+			return proxy.reissueUserCerts(ctx, params)
+		}
 		return nil, trace.Wrap(err)
 	}
 	if !requiredCheck.Required {