Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

devicetrust: don't invoke powershell when reading system information #50372

Merged
merged 1 commit into from
Dec 19, 2024
Merged

devicetrust: don't invoke powershell when reading system information #50372

merged 1 commit into from
Dec 19, 2024

Conversation

zmb3
Copy link
Collaborator

@zmb3 zmb3 commented Dec 18, 2024
edited
Loading

The device trust web flow can result in a web browser launching Teleport Connect (which launches tsh, which in turn launches powershell).

Some antivirus solutions flag cases where a powershell process is a descendent of a web browser process. In order to avoid being blocked by the antivirus software, we want to read system information directly instead of via powershell.

Changelog: Fixed an issue that could cause some antivirus tools to block Teleport's Device Trust feature on Windows machines.

@programmerq programmerq added the c-po Internal Customer Reference label Dec 18, 2024
@zmb3 zmb3 force-pushed the zmb3/windows-no-powershell branch from 43238f9 to d3a0484 Compare December 19, 2024 01:43
@zmb3
Copy link
Collaborator Author

zmb3 commented Dec 19, 2024
edited
Loading

Result of tsh device collect seems to match that of an official release build, though I'm running in a Parallels VM so it would be good to test on a Machine with a real TPM.

Screenshot 2024-12-18 at 7 08 24 PM

@codingllama @ravicious @gzdunek would any of you mind trying tsh device collect on your Thinkpads using tsh from this branch and comparing to that of a recent release?

@ravicious
Copy link
Member

I don't have Windows on my Thinkpad, but I know that @nklaassen has a Windows machine. 😏

codingllama
codingllama reviewed Dec 19, 2024
View reviewed changes
lib/devicetrust/native/device_windows.go Show resolved Hide resolved
lib/devicetrust/native/device_windows.go Show resolved Hide resolved
lib/devicetrust/native/device_windows.go Outdated Show resolved Hide resolved
lib/devicetrust/native/device_windows.go Outdated Show resolved Hide resolved
codingllama
codingllama reviewed Dec 19, 2024
View reviewed changes
Copy link
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

lib/devicetrust/native/device_windows.go Outdated Show resolved Hide resolved
@zmb3
devicetrust: don't invoke powershell when reading system information
cef8d83 
The device trust web flow can result in a web browser launching
Teleport Connect (which launches tsh, which in turn launches
powershell).

Some antivirus solutions flag cases where a powershell process is
a descendent of a web browser process. In order to avoid being
blocked by the antivirus software, we want to read system information
directly instead of via powershell.
@zmb3 zmb3 force-pushed the zmb3/windows-no-powershell branch from 79f0e4e to cef8d83 Compare December 19, 2024 18:19
@zmb3 zmb3 marked this pull request as ready for review December 19, 2024 18:19
codingllama
codingllama approved these changes Dec 19, 2024
View reviewed changes
Copy link
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

I just did another run with the current commit, to be sure. Looks fine.

@zmb3 zmb3 requested a review from rosstimothy December 19, 2024 18:31
@zmb3 zmb3 enabled auto-merge December 19, 2024 18:47
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from atburke December 19, 2024 18:55
@zmb3 zmb3 added this pull request to the merge queue Dec 19, 2024
Merged via the queue into master with commit b1d8c3b Dec 19, 2024
46 checks passed
@zmb3 zmb3 deleted the zmb3/windows-no-powershell branch December 19, 2024 19:14
@public-teleport-github-review-bot
Copy link

@zmb3 See the table below for backport results.

Branch Result
branch/v15 Failed
branch/v16 Failed
branch/v17 Failed

This was referenced Dec 19, 2024
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosstimothy rosstimothy rosstimothy approved these changes

@codingllama codingllama codingllama approved these changes

Assignees
No one assigned
Labels
backport/branch/v15 backport/branch/v16 backport/branch/v17 c-po Internal Customer Reference size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@zmb3 @ravicious @codingllama @rosstimothy @programmerq