Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login locks the user for 15 minutes #1347

Closed
vad opened this issue Sep 29, 2017 · 5 comments · Fixed by #1383
Closed

Login locks the user for 15 minutes #1347

vad opened this issue Sep 29, 2017 · 5 comments · Fixed by #1383
Assignees
@russjones
Milestone
2.3.5

Comments

@vad
Copy link

vad commented Sep 29, 2017

After successful log in in v2.3, the user gets locked:

kind: user
metadata:
  expires: 0001-01-01T00:00:00Z
  name: setti
spec:
  created_by:
    time: 0001-01-01T00:00:00Z
    user:
      name: ""
  expires: 0001-01-01T00:00:00Z
  roles:
  - user:setti
  status:
    is_locked: true
    lock_expires: 2017-09-29T13:27:11.025969561Z
    locked_message: user has exceeded maximum failed login attempts
    locked_time: 0001-01-01T00:00:00Z
version: v2

To login again I can use tctl -f create or wait 15 minutes.
@vad
Copy link
Author

vad commented Oct 4, 2017

The same for unsuccessful login: this means that it's enough to fail once to get locked for 15 minutes... We're currently trying teleport in our company and this bug means that we can't expand its usage to all our employees

@kontsevoy kontsevoy added the P0 label Oct 4, 2017
@kontsevoy
Copy link
Contributor

@vad we'll take a look. this is serious enough to have a point-release.

@kontsevoy kontsevoy assigned r0mant and russjones and unassigned r0mant Oct 4, 2017
@russjones
Copy link
Contributor

@vad I tried to reproduce this and could not. Can you provide reproduction steps?

@kontsevoy kontsevoy added this to the 2.4.1 milestone Oct 5, 2017
@kontsevoy
Copy link
Contributor

@vad This happens when a user re-uses the same token with 30 seconds. Not sure why we're so strict, this will be fixed in the point-release. Thanks for reporting!

@vad
Copy link
Author

vad commented Oct 6, 2017

@kontsevoy @russjones thank you for your replies and sorry for the lag

I don't think this is the problem you mention @kontsevoy:

# insert bad credentials
$ tsh --proxy=myproxy --user=setti login
Enter password for Teleport user setti:
Enter your OTP token:
111111
access denied to 'setti': bad username or credentials

(wait 30 seconds)

# insert correct credentials
$ tsh --proxy=myproxy --user=setti login
Enter password for Teleport user setti:
Enter your OTP token:
425189
access denied to 'setti': bad username or credentials

The same if I login and logout:

$ tsh --proxy=myproxy --user=setti login
Enter password for Teleport user setti:
Enter your OTP token:
<correct>

You are now logged in

$ tsh --proxy=myproxy --user=setti logout
setti has logged out of

$ tsh --proxy=myproxy --user=setti login
Enter password for Teleport user setti:
Enter your OTP token:
<the next correct token>
access denied to 'setti': bad username or credentials

@russjones what can I do to help you reproduce the issue?

This is the configuration file:

teleport:
    nodename: myproxy
    data_dir: /var/lib/teleport

    log:
        output: syslog
        severity: WARN
 
auth_service:
    cluster_name: "main"

    tokens:
        - "node:STATIC_TOKEN"
 
proxy_service:
    https_key_file: /etc/ssl/my.key
    https_cert_file: /etc/ssl/my.crt

@kontsevoy kontsevoy modified the milestones: 2.4.1, 2.3.2 Oct 10, 2017
@russjones russjones mentioned this issue Oct 11, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@russjones russjones

Labels
None yet
Projects
None yet
Milestone
2.3.5
Development

Successfully merging a pull request may close this issue.

Fix issue where users would get locked out when using OTP tokens. gravitational/teleport
5 participants
@vad @r0mant @kontsevoy @russjones @alex-kovoy