Duo Passcode Implementation or Documentation Unclear #17872
Comments
|
👋 has anyone looked at this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Describe the bug
The Duo MFA method can accept a TOTP passcode generated from the Duo Mobile app, or one associated with an end-users Duo account (ex. a Yubikey OTP). What is left out of the documentation is that the word
passcode=must be appended for the Duo Login MFA provider to actually use that provided OTP or Yubikey OTP. If an end-user only specifies the TOTP code or Yubikey OTP, the Duo Login MFA provider will send a push anyways.I was able to figure this out by looking at login_mfa.go. This, somewhat, makes sense to me - the way you'd specify on the CLI with legacy MFA was with
passcode=after avault logincommand.I'm not sure if this should be updated in documentation (maybe in the Configure Duo MFA Method doc? Or maybe a provider-specific callout in the validate API docs) or if the code should be updated to use passcode auth if an MFA cred is specified at all.
To Reproduce
vault login -method=ldap -mfa <MFA_ID_HERE>:passcode=<YUBI_PRESS_OR_TOTP_HERE>Expected behavior
If you run
vault login -method=ldap -mfa <MFA_ID_HERE>:passcode=<YUBI_PRESS_OR_TOTP_HERE>you'll receive login creds without a Duo push.Environment:
vault status): 1.12.0vault version): 1.12.0Additional context
The documentation should probably be updated to say that
passcode=is required if it's not going to change. However, that's a bit janky in other places -- like when you log in via the Web UI, you have to remind your users to type inpasscode=then press their Yubikey, but there's no indication of that in the UI either:The text was updated successfully, but these errors were encountered: