Summary

SCP and SFTP plugins don't honor group-based and account-based JIT MFA

Details

Establishing a SCP/SFTP connection through The Bastion via a group or personal access where MFA is enforced does not ask for additional factor. This abnormal behavior only applies to per-group-based JIT MFA and JIT MFA on a per-account basis.

Other MFA setup types, such as Immediate MFA or JIT MFA on a per-plugin basis are not affected.

Normal SSH access (i.e. not SCP nor SFTP) is not affected.

How to reproduce for group-based JIT MFA

• Create a group
• Apply groupModify --mfa-required any to this group
• Grant SSH access to someone via this group on a given IP
• Grant scp download right (or sftp right) to the same person via this group on the same IP
• This group should now force MFA for any connection of the person allowed through the group's rights set. This is the case for SSH, but not for SCP or SFTP as would be expected.

How to reproduce for account-based JIT MFA

• Create an account
• Apply accountModify --personal-egress-mfa-required any to this account
• Grant a personal SSH access to this account on a given IP
• Grant scp download right (or sftp right) to the same account via their personal access on the same IP
• This account should now have forced MFA for any egress connection allowed through their personal rights set. This is the case for SSH, but not for SCP or SFTP as would be expected.

Impact for group-based JIT MFA

For an actor to be able to bypass MFA for scp/sftp to a given remote server, ALL the following conditions must apply:

• The target server must be part of a group (and have the egress group's public key trusted in its authorized_keys file)
• The group must have JIT MFA enabled on it (through groupModify --mfa-required any)
• The actor must have an account on the bastion
• The actor must be a member of the group (granted by the groups's gatekeepers)
• scp and/or sftp must be globally enabled on the bastion (this is the default)
• scp and/or sftp must be explicitly allowed to the given remote server through the group (granted by the groups's aclkeepers)

When all conditions above apply, the actor would be able to use scp or sftp on the target server without requiring to provide an additional factor where it should.

Impact for account-based JIT MFA

For an actor to be able to bypass MFA for scp/sftp to a given remote server, ALL the following conditions must apply:

• The target server must be part of the actor's account personal accesses (and have the account's egress public key trusted in its authorized_keys file)
• The account must have JIT MFA enabled on it (through accountModify --personal-egress-mfa-required any)
• scp and/or sftp must be globally enabled on the bastion (this is the default)
• scp and/or sftp must be explicitly allowed to the given remote server through this account's personal accesses (granted by either selfAddPersonalAccess or accountAddPersonalAccess)

When all conditions above apply, the actor would be able to use scp or sftp on the target server without requiring to provide an additional factor where it should.

Mitigation

If you don't use the per-group-based JIT MFA on any of your groups (through groupModify --mfa-required), and don't use the JIT MFA on a per-account basis (through accountModify --personal-egress-mfa-required), you don't need to mitigate the issue as you don't use the impacted feature (see above for impact details).

Otherwise, if you can't immediately upgrade to v3.14.15 or more recent, and you feel that the aforementioned impacts are important enough in your environment, you may choose to temporarily disable the scp and sftp plugins globally on the bastion, by setting "disabled": true in these plugins configuration files, which can be found in /etc/bastion/plugin.scp.conf and /etc/bastion/plugin.sftp.conf respectively. If these files don't exist, create them with the contents as { "disabled": true }. They should be readable by anyone but modifiable only by root (i.e. chmod 664; chown root:root)