Create user with single-factor authentication?

[jamesjuran2]

Is it possible to create a user that does not require two-factor authentication? My use case is I have automation running outside a Teleport cluster that I would like to log into the cluster periodically to perform a task. Because of the 2FA, I'll need to log into the server every day to re-auth with my 2FA token. In this particular case, the increased convenience of not having 2FA on this account is worth the security risk of someone compromising the stored single-factor credential.

[kontsevoy]

@jamesjuran2 perhaps tsh login --ttl=xxx with a HUGE time-to-live will solve this better? You can basically create a session key which never expires.

[jamesjuran2]

That was the first thing I thought of, but the maximum time for --ttl is 1800 minutes, or 30 hours, which I recall seeing in the docs:

[james.juran@localhost ~]$ tsh --proxy=teleport --ttl=1801 login
invalid requested cert TTL
[james.juran@localhost ~]$ tsh --proxy=teleport --ttl=1800 login
Enter password for Teleport user james.juran:

If the 30 hour limit is arbitrary, I could make a local modification to set that considerably higher, but it would be nice to use the official releases. I also imagine I'm not the only one with this use case -- the automation I'm trying to run is Ansible, and I can't run Ansible from inside this cluster.

[klizhentas]

@jamesjuran2 I'm thinking about it in the context of #620 - and it makes sense to add special permission property for some roles to sign certificates with longer TTLs. In this case you will be able to create jenkins role that can sign certs for a couple of months for example.

[jamesjuran2]

Doing this as part of the framework for #620 makes sense to me -- and we're very excited about the other parts of #620 as well. Thank you for considering this!

[klizhentas]

Ok, I"ve updated section "TTL in certificates" to specifically address your concern. Closing this issue then.