Logins denied by RBAC rules no longer generate audit log entries #7652

timothyb89 · 2021-07-22T21:57:27Z

In 6.0.1, login attempts when denied by RBAC rules generated audit log entries.

Example in 6.0.1 when principal is missing from certificate:

$ tsh ssh node
ERROR: access denied to tim connecting to node on cluster foo.example.com

...and the associated audit log entry:

{
  "addr.local": "127.0.0.1:3022",
  "addr.remote": "192.168.10.1:60180",
  "cluster_name": "",
  "code": "T3007W",
  "ei": 0,
  "error": "ssh: principal \"tim\" not in the set of valid principals for given certificate: [\"-teleport-nologin-a58cfc06-fd14-4952-83bf-995169799e49\"]",
  "event": "auth",
  "login": "tim",
  "success": false,
  "time": "2021-07-22T21:32:54.286Z",
  "uid": "c811a4a4-44ac-4d4f-8963-2e6a686ad614",
  "user": "tim2"
}

Similarly, if denied by node labels, the user sees this:

$ tsh ssh monitor
ERROR: access denied to tim connecting to node on cluster foo.example.com

... and an audit log entry is generated:

{
  "addr.local": "127.0.0.1:3022",
  "addr.remote": "192.168.10.1:60145",
  "cluster_name": "",
  "code": "T3007W",
  "ei": 0,
  "error": "user [email protected] is not authorized to login as [email protected]: access to server denied",
  "event": "auth",
  "login": "tim",
  "success": false,
  "time": "2021-07-22T21:31:48.917Z",
  "uid": "415609bf-e510-4c6c-b1e5-e1e660a68346",
  "user": "tim2"
}

Now in 7.0.0-beta.3, the user sees the following message in both cases:

$ tsh ssh node
ERROR: node "Node:\"node\" Login:\"tim\" " not found

In both cases, the proxy server logs the attempt as an authorization failure but no audit log is generated. Port forwarding attempts denied by RBAC rules do still generate audit log events in v7.0.0-beta.3.

v6.2.3 appears to behave the same as v7.0.0.

Joerger · 2021-07-22T22:36:33Z

I looked into this a bit and found that the audit log isn't created because IsMFARequired returns an error before the ssh connection is attempted.

Error returned by IsMFARequired: "Node:\"server01\" Login:\"bjoerger\" " not found

When I remove the MFA required check, I get:

Error: access denied to bjoerger.com connecting to server01 on cluster example.com
Audit log:

{
  "addr.local": "127.0.0.1:3022",
  "addr.remote": "127.0.0.1:41080",
  "cluster_name": "example.com",
  "code": "T3007W",
  "ei": 0,
  "error": "ssh: principal \"bjoerger\" not in the set of valid principals for given certificate: [\"-teleport-nologin-e8f76798-4892-4607-9384-702b1b401cc7\"]",
  "event": "auth",
  "login": "bjoerger",
  "success": false,
  "time": "2021-07-22T19:24:38.357Z",
  "uid": "bc3e9f92-6100-44b9-8e17-f140d59c36a5",
  "user": "dev"
}

In Teleport v6.0 and earlier, audit log events were emitted when a user was denied node access by RBAC rules (e.g. missing login or label permissions). In Teleport v6.2, `isMFARequired` now ensures users have RBAC permissions for a node before login is ever attempted, the client never attempts to connect, and no audit event is emitted. This adds a new audit log event before `isMFARequired` would otherwise return an error to the user. Fixes #7652

This changes `isMFARequired` to return `false` rather than an error (e.g. not found) when a user is not authorized to access a particular resource. This defers the authorization denial until such time as the client actually attempts to connect. Before Teleport v6.2, clients would immediately attempt to connect to nodes, and if denied by RBAC rules, would print an "access denied" error. As of Teleport v6.2, clients first call `isMFARequired` and, if unauthorized, abort the connection and print a "node not found" error. As no connection is ever attempted, no audit log entry is generated. Fixes #7652

* Do not deny logins in `isMFARequired` This changes `isMFARequired` to return `false` rather than an error (e.g. not found) when a user is not authorized to access a particular resource. This defers the authorization denial until such time as the client actually attempts to connect. Before Teleport v6.2, clients would immediately attempt to connect to nodes, and if denied by RBAC rules, would print an "access denied" error. As of Teleport v6.2, clients first call `isMFARequired` and, if unauthorized, abort the connection and print a "node not found" error. As no connection is ever attempted, no audit log entry is generated. Fixes #7652 * Remove dead code * Ensure users are still asked for MFA if multiple nodes match. * Remove unnecessary debug log * Update lib/auth/auth.go Co-authored-by: Brian Joerger <[email protected]> * Improve clarity per review feedback * Fix improper error log Co-authored-by: Brian Joerger <[email protected]>

timothyb89 added bug test-plan-problem Issues which have been surfaced by running the manual release test plan regression labels Jul 22, 2021

timothyb89 mentioned this issue Jul 22, 2021

Teleport 7.0 Test Plan #7572

Closed

russjones assigned timothyb89 Jul 23, 2021

timothyb89 mentioned this issue Jul 26, 2021

Emit audit log events when isMFARequired denies a user. #7701

Closed

timothyb89 mentioned this issue Jul 28, 2021

Do not deny logins in isMFARequired #7739

Merged

timothyb89 closed this as completed in #7739 Aug 4, 2021

timothyb89 mentioned this issue Aug 4, 2021

[v7] Do not deny logins in isMFARequired (#7739) #7796

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Logins denied by RBAC rules no longer generate audit log entries #7652

Logins denied by RBAC rules no longer generate audit log entries #7652

timothyb89 commented Jul 22, 2021

Joerger commented Jul 22, 2021

Logins denied by RBAC rules no longer generate audit log entries #7652

Logins denied by RBAC rules no longer generate audit log entries #7652

Comments

timothyb89 commented Jul 22, 2021

Joerger commented Jul 22, 2021