diff --git a/constants.go b/constants.go index af059bc1ffe54..803a58d44fbbd 100644 --- a/constants.go +++ b/constants.go @@ -410,6 +410,10 @@ const ( // MinimumEtcdVersion is the minimum version of etcd supported by Teleport MinimumEtcdVersion = "3.3.0" + + // EnvVarAllowNoSecondFactor is used to allow disabling second factor auth + // todo(tross): DELETE WHEN ABLE TO + EnvVarAllowNoSecondFactor = "TELEPORT_ALLOW_NO_SECOND_FACTOR" ) const ( diff --git a/lib/auth/init.go b/lib/auth/init.go index 0b14c88dffb8a..10987111ba6e1 100644 --- a/lib/auth/init.go +++ b/lib/auth/init.go @@ -26,6 +26,7 @@ import ( "errors" "fmt" "log/slog" + "os" "slices" "strings" "sync" @@ -786,14 +787,15 @@ func initializeAuthPreference(ctx context.Context, asrv *Server, newAuthPref typ } if !shouldReplace { - if err := modules.ValidateResource(storedAuthPref); err != nil { + if os.Getenv(teleport.EnvVarAllowNoSecondFactor) != "true" { + err := modules.ValidateResource(storedAuthPref) if errors.Is(err, modules.ErrCannotDisableSecondFactor) { return trace.Wrap(err, secondFactorUpgradeInstructions) } - - return trace.Wrap(err) + if err != nil { + return trace.Wrap(err) + } } - return nil } diff --git a/lib/modules/modules.go b/lib/modules/modules.go index 0812cf4ef06df..abc6b41fef043 100644 --- a/lib/modules/modules.go +++ b/lib/modules/modules.go @@ -25,6 +25,7 @@ import ( "crypto" "errors" "fmt" + "os" "runtime" "sync" "time" @@ -332,7 +333,10 @@ var ErrCannotDisableSecondFactor = errors.New("cannot disable multi-factor authe // ValidateResource performs additional resource checks. func ValidateResource(res types.Resource) error { - if GetModules().Features().Cloud || !IsInsecureTestMode() { + // todo(tross): DELETE WHEN ABLE TO [remove env var, leave insecure test mode] + if GetModules().Features().Cloud || + (os.Getenv(teleport.EnvVarAllowNoSecondFactor) != "yes" && !IsInsecureTestMode()) { + switch r := res.(type) { case types.AuthPreference: if !r.IsSecondFactorEnforced() {