local_auth setting is not documented anywhere

[webvictim]

What happened: If you have changed the default auth service configuration when trying to start Teleport in FIPS mode (using teleport start --fips), Teleport will fail to start and say error: non-FIPS compliant authentication setting: "local_auth" must be false

local_auth doesn't appear in our documentation anywhere as far as I can tell so it's hard to know 1) what this setting does and 2) where it should be set.

It should be described in the configuration section of the admin guide (https://gravitational.com/teleport/docs/admin-guide/#configuration)

What you expected to happen: local_auth to appear in the configuration reference.

It goes under auth_service.authentication like this:

auth_service:
  authentication:
    local_auth: false

It's also worth noting that it's incompatible with the second_factor setting under auth_service.authentication - if you set both in the config, you get this warning: WARN Second factor settings will have no affect because local authentication is disabled. Update file configuration and remove "second_factor" field to get rid of this error message.

How to reproduce it (as minimally and precisely as possible): Set up Teleport with a config where auth_service.authentication has been changed from the default.

Environment:

• Teleport version (use teleport version): 4.1.0

[webvictim]

FYI, the setting was introduced in this PR: #2575

[benarent]

I think a good starting point would be add a specific FIPS info under Teleport Enterprise.

It would be good to add #2789 to 4.2. @alex-kovoy What do you think?

[webvictim]

The FIPS documentation is in the 4.2 milestone so adding this as well. That way we'll remember to close it when it's done.

[benarent]

Closed with #3129