-
why adding mfa tsh is asking to give --proxy ? I am just adding the mfa % tsh mfa add In case I use proxy and my username in the cluster nothing works anyway I have tried both WEBAUTHN, TOUCHID.. with same result. thanks |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 7 replies
-
I would recommend following our guide https://goteleport.com/docs/access-controls/guides/passwordless/ , my gut says that since you added a passkey MFA, it's trying to use this MFA in the command line. I would suggest adding a hardware token such as a yubikey, or even an OTP. This will be used to first validate the token, then you can add touch ID. Also note, Touch ID registrations are isolated by application. A Touch ID registration for tsh is different from a registration made from Chrome or Safari. You may register the same Touch ID device from multiple applications to get passwordless access in all of them. |
Beta Was this translation helpful? Give feedback.
-
Well...I have strictly followed the doc you are poiting to..
|
Beta Was this translation helpful? Give feedback.
Unfortunately Touch ID being separate between the browser and the command line is a MacOS security limitation, and there's nothing we can do about it.
Here's an explanation of a workaround: #32051 (comment)
Essentially to have Touch ID registered in both the browser and at the command line, you should be able to:
tsh login --proxy teleport.exa…