b8b83e0

doc: Add RFD for In-Band MFA for SSH Sessions

cthach Sep 15, 2025

27cfa45

fix: Add words to cspell config

cthach Sep 15, 2025

3baaf36

refactor: Improve clarity and consistency

cthach Sep 15, 2025

607e9e7

docs: clarify session certs

cthach Sep 15, 2025

64f2646

docs: add updates to DialRequest message

cthach Sep 15, 2025

fdd5898

docs: add versions and permit

cthach Sep 16, 2025

9b58fd7

docs: remove session SSH cert from design

cthach Sep 16, 2025

907f708

docs: Rename to ProxySSH. Add approvers.

cthach Sep 17, 2025

80792b4

Merge remote-tracking branch 'origin/master' into rfd/0224-in-band-mf…

cthach Sep 17, 2025

312ee9e

docs: update security to call out risk of new Auth RPC. Remove SSH ce…

cthach Sep 17, 2025

45e3683

docs: enhance TransportServiceV2 description to clarify in-band MFA h…

cthach Sep 17, 2025

cecdefc

docs: Teleport clients, not agents

cthach Sep 17, 2025

c15c076

docs: rename to TransportServiceV2 to just TransportService in the v2…

cthach Sep 26, 2025

31b3b50

docs: client must send dial_target first

cthach Sep 26, 2025

2bfd689

docs: introduce new MFAService

cthach Sep 26, 2025

83ccc70

docs: improve consistency

cthach Sep 26, 2025

1fd8c19

docs: update client and web terminal to use v2 TransportService with …

cthach Sep 26, 2025

2b5382e

docs: extend dependencies for Decision

cthach Sep 26, 2025

6d600e1

Merge remote-tracking branch 'origin/master' into rfd/0224-in-band-mf…

cthach Sep 30, 2025

1753746

docs: refactor to delegate to new MFAService for assertion ceremony

cthach Sep 30, 2025

c8d06a9

docs: refine to add alts considered, relay and polish

cthach Sep 30, 2025

3007101

refactor: add notes to update clients to utilize v2 TransportService …

cthach Sep 30, 2025

e6c4c68

Merge remote-tracking branch 'origin/master' into rfd/0224-in-band-mf…

cthach Oct 1, 2025

46c18af

docs: rename RFD. Add considerations for vnet, connect and web term

cthach Oct 1, 2025

4e1e3d0

fix: spelling

cthach Oct 1, 2025

1dae587

docs: refine RFD

cthach Oct 1, 2025

4e387e5

docs: simplify StartAuthenticateChallengeRequest

cthach Oct 1, 2025

0da53de

docs: improve security and audit sections

cthach Oct 2, 2025

95691cc

fix: consistency in field names in StartAuthenticateChallengeRequest

cthach Oct 3, 2025

6256b7f

docs: improve test plan

cthach Oct 3, 2025

829d63b

doc: make security section easier to read and add conn downgrade miti…

cthach Oct 3, 2025

136c435

Merge branch 'master' into rfd/0224-in-band-mfa-ssh-sessions

cthach Oct 8, 2025

7bcfd7b

docs: remove new vs legacy client from diagram

cthach Oct 8, 2025

270307b

docs: return an AccessDenied/InternalServer error on failures

cthach Oct 8, 2025

1e4568e

docs: clarify relay also gets upgraded responsibilities and perms

cthach Oct 8, 2025

b0181b2

docs: return result struct on completion of StartAuthenticateChallenge

cthach Oct 8, 2025

7583f96

docs: handle legacy agents

cthach Oct 9, 2025

97aa82b

Merge remote-tracking branch 'origin/master' into rfd/0224-in-band-mf…

cthach Oct 15, 2025

a4c928b

refactor: Do MFA enforcement at SSH service within SSH protocol

cthach Oct 16, 2025

21afa57

docs: Add non-goals, handle edge cases, populate security, test, roug…

cthach Oct 16, 2025

5a7f8ae

fix: enum DenialMetadataReason should have suffix

cthach Oct 17, 2025

8db7abf

fix: clarity that running commands on multiple hosts may need multipl…

cthach Oct 17, 2025

8b4fd8a

docs: add more details to ValidateAuthenticateChallengeResponse

cthach Oct 17, 2025

88e13d5

docs: switch to JSON for keyboard-interactive question

cthach Oct 17, 2025

9c63f85

refactor: Decision service does not validate MFA responses

cthach Oct 20, 2025

13d1d2a

refactor: use preconditions to fail close

cthach Oct 20, 2025

78bf306

fix: no changes to UX

cthach Oct 20, 2025

b8e5e1a

Merge branch 'master' into rfd/0224-in-band-mfa-ssh-sessions

cthach Oct 20, 2025

d1b1cc8

refactor: Proxy will call EvaluateSSHAccess and staple permit

cthach Oct 21, 2025

85907f6

Merge branch 'rfd/0224-in-band-mfa-ssh-sessions' of github.com:gravit…

cthach Oct 21, 2025

a32127b

docs: add error messages

cthach Oct 21, 2025

4e60a76

docs: update SSH service auth handler to use VerifiedPublicKeyCallbac…

cthach Oct 21, 2025

543d8b7

docs: action ID is UUID v4. Configurable rate limits. Only authorize …

cthach Oct 22, 2025

f77ef54

docs: Add force in-band MFA flag. Update transition period to two maj…

cthach Oct 22, 2025

2e80d05

refactor: shorten diagram nodes so they are not truncated in GitHub

cthach Oct 22, 2025

30626eb

Change to RFD 231

cthach Oct 22, 2025

08ac89a

docs: remove rate limits

cthach Oct 22, 2025

85810af

fix: remove extra word and make consistent

cthach Oct 22, 2025

5c3675e

fix: add INBAND to spell check ignore list

cthach Oct 22, 2025

2c0a22b

refactor: introduce new MFAService instead of extend legacy AuthService

cthach Oct 23, 2025

06c389e

fix: update precondition enum values to satisfy buf lint

cthach Oct 27, 2025

61df821

feat: add audit events for new MFAService RPCs

cthach Oct 27, 2025

de0ff2b

docs: add details for persisting action ID to backend

cthach Oct 27, 2025

c3ef301

Merge branch 'master' into rfd/0224-in-band-mfa-ssh-sessions

cthach Oct 27, 2025

30be142

docs: Remove unused user field in message. Polish doc.

cthach Oct 27, 2025

d45f4ba

refactor: keyboard-interactive channel should be structured proto. De…

cthach Oct 28, 2025

79c6de9

refactor: Use existing audit events instead of creating new ones.

cthach Oct 28, 2025

0ca57b5

refactor: remove audit event changes

cthach Oct 30, 2025

320d373

refactor: replace action IDs with SIPs

cthach Oct 30, 2025

a5dced0

Merge branch 'master' into rfd/0224-in-band-mfa-ssh-sessions

cthach Nov 4, 2025