Passphrases for talosconfig file, or how to achieve MFA

[KarstenB]

I am currently discussing with my colleagues on how we could achieve the company requirement that everything should be multi-factor authenticated. The problem is that once an admin has downloaded the talosconfig to its machine, he essentially has the most powerful file at hand.

With SSH this is partially mitigated by using passphrases, or using the local key chain. I ran across this project for kubeconfig, which essentially has the same problem, https://github.com/plumber-cd/kubectl-credentials-helper. I think it would be great if a form of either plugins for the talosctl could be created, or at the very least a passphrase could be set on the certificates, also OIDC support would be fantastic.

How do you securely handle the talosconfig files for your admins?

[smira]

You can use Omni which provides MFA auth with short-lived tokens for both Talos and Kuberentes APIs