Question/Problem:
How does Teleport calculate the TTL for a user's session when authenticating?
Solution:
When a user authenticates, Teleport considers the times from all of the following:
- It finds the shortest maximum TTL from all the roles for the user
- It determines the user-requested TTL based on the `tsh login --ttl` argument. If none is specified, it is equivalent to the user requesting a twelve hour TTL. (there is an upper limit of 30 hours that can be requested)
- If the user includes a `tsh login --request-id` argument to adopt an existing approved access request, then the remaining time allowed on that specific request is considered. If no request id is specified, nothing special happens)
The lowest duration of all of these times is then taken and used as the TTL for the user session.
Comments
0 comments
Article is closed for comments.