Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport: mfa: cancel TOTP prompt if U2F was used #6658

Merged
merged 3 commits into from
May 3, 2021
Merged

Backport: mfa: cancel TOTP prompt if U2F was used #6658

merged 3 commits into from
May 3, 2021

Conversation

awly
Copy link
Contributor

@awly awly commented Apr 29, 2021

Backport of #6542 into v6

mfa: cancel TOTP prompt if U2F was used (#6542)
0f1397c 
Implement context-based cancellation in `/lib/utils/prompt`, for MFA
prompts.

This fixes the following scenario:
```sh
User has both OTP and U2F devices registered.
$ tsh mfa ls
Name  Type Added at                      Last used
----- ---- ----------------------------- -----------------------------
otp   TOTP Wed, 21 Apr 2021 19:41:44 UTC Wed, 21 Apr 2021 19:44:32 UTC
usb-a U2F  Wed, 21 Apr 2021 19:44:34 UTC Wed, 21 Apr 2021 19:44:34 UTC

Add a new OTP device, using existing U2F device:
$ tsh mfa add
Choose device type [TOTP, U2F]: totp
Enter device name: otp2
Tap any *registered* security key or enter a code from a *registered* OTP device: <tap> # <- First OTP prompt here
Open your TOTP app and create a new manual entry with these fields:
Name: awly@localhost:3080
Issuer: Teleport
Algorithm: SHA1
Number of digits: 6
Period: 30s
Secret: 3UD42X2NN7EEZ6LUPG6NFMNOLDY6AJTS

Once created, enter an OTP code generated by the app: 607738 # <- Second OTP prompt here
MFA device "otp2" added.
```

Before this PR, the first OTP prompt (for `*registered* device`) would
hang in the background. The OTP code from the newly-registered device is
prompted later, but any text written ends up going to the first prompt.

After this PR, the first prompt is canceled and the code from a new
device goes to the second prompt as intended.

Note: this is implemented using pure Go code (background goroutine
consuming `os.Stdin`) rather than syscalls (e.g. `poll` or `select`)
for portability.
@awly awly enabled auto-merge (squash) April 29, 2021 18:43
@awly awly merged commit f90cfc5 into branch/v6 May 3, 2021
@awly awly deleted the andrew/v6/totp-cancel-prompt branch May 3, 2021 22:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@russjones russjones russjones approved these changes

@klizhentas klizhentas Awaiting requested review from klizhentas klizhentas is a code owner

@r0mant r0mant Awaiting requested review from r0mant r0mant is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@awly @russjones