Teleport – Secure Access to Linux Systems and Kubernetes

Posted on 118 views

In this dispensation of interconnected systems, it is utterly crucial that every asset, every document and every information is kept as far as possible from prying eyes and ears. What makes this worse is that there is a burgeoning number of these unsavory eyes and ears and keeping them off your systems is getting harder and trickier every waking day. So what to do? Innovation from good minds in our world have come up with solutions that can at least ward them off as well as making their efforts harder. Teleport is one of these solutions and we shall descend into an elaborate disquisition about it in this brief guide.

Gravitational Teleport is a gateway for managing access to clusters of Linux servers via SSH or the Kubernetes API. It is intended to be used instead of traditional OpenSSH for organizations that need to: Source: Teleport Documentation

  • Secure their infrastructure and comply with security best-practices and regulatory requirements.
  • Have complete visibility into activity happening across their infrastructure.
  • Reduce the operational overhead of privileged access management across both traditional and cloud-native infrastructure.

Comprehensive Features of Teleport

Teleport offers impressive new features that traditional administrators and developers are going to enjoy. They inlude:

  • Single SSH/Kubernetes access gateway for an entire organization.
  • SSH certificate based authentication instead of static keys.
  • Avoid key distribution and trust on first use issues by using auto-expiring keys signed by a cluster certificate authority (CA).
  • Enforce 2nd factor authentication.
  • Connect to clusters located behind firewalls without direct Internet access via SSH bastions.
  • Collaboratively troubleshoot issues through session sharing.
  • Discover online servers and Docker containers within a cluster with dynamic node labels.
  • A single tool (“pane of glass”) to manage RBAC for both SSH and Kubernetes.
  • Audit log with session recording/replay.
  • Kubernetes audit log, including the recording of interactive commands executed via kubectl.
  • Ability to run in “agentless” mode, i.e. most Teleport features are available on clusters with pre-existing SSH daemons, usually sshd.

Adapted from Teleport official website, Teleport comes as three binaries: the teleport daemon, the tsh client, and the tctl administration tool. They are dependency-free, written in a compiled language, and run on any UNIX-compatible operating system, such as Linux, FreeBSD, or macOS. Teleport is open source under the Apache 2 license and the source code is available on Github.

Teleport is easy to deploy. It is a traditional Linux daemon similar to sshd and usually runs as a systemd service.

Installation of Teleport Tool

Teleport core service teleport and admin tool tctl have been designed to run on Linux and Mac operating systems. The Teleport user client tsh and UI are available for Linux, Mac and Windows operating systems.

Install Teleport on Linux

The following examples install the 64-bit version of Teleport binaries, but 32-bit (i386) and ARM binaries are also available. Check the Latest Release page for the most up-to-date information.

Install from the tarball

curl -O
tar -xzf teleport-v5.0.0-linux-amd64-bin.tar.gz
cd teleport
sudo ./install
Teleport binaries have been copied to /usr/local/bin

Configure teleport SystemD service

We can take advantage of systemd to manage teleport’s lifecycle processes such as starting and stopping the service. Create teleport systemd service thus:

$ sudo vim /etc/systemd/system/teleport.service

Description=Teleport SSH Service

ExecStart=/usr/local/bin/teleport start --pid-file=/run/
ExecReload=/bin/kill -HUP $MAINPID


Then reload the daemon, start and enable the service

sudo systemctl daemon-reload
sudo systemctl start teleport
sudo systemctl enable teleport

You can check its status to confirm that everything was started without any fuss

$ sudo systemctl status teleport

● teleport.service - Teleport SSH Service
   Loaded: loaded (/etc/systemd/system/teleport.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-12-14 07:31:33 UTC; 1h 2min ago
 Main PID: 2053 (teleport)
    Tasks: 9 (limit: 11004)
   Memory: 35.0M
   CGroup: /system.slice/teleport.service
           └─2053 /usr/local/bin/teleport start --pid-file=/run/

Dec 14 07:31:35 centos8.localdomain teleport[2053]: [NODE]         Service 5.0.0:v5.0.0-0-gac4971801 is starting on
Dec 14 07:31:35 centos8.localdomain teleport[2053]: [PROXY]        Reverse tunnel service 5.0.0:v5.0.0-0-gac4971801 is starting on   
Dec 14 07:31:35 centos8.localdomain teleport[2053]: [PROXY]        Web proxy service 5.0.0:v5.0.0-0-gac4971801 is starting on        
Dec 14 07:31:35 centos8.localdomain teleport[2053]: [PROXY]        SSH proxy service 5.0.0:v5.0.0-0-gac4971801 is starting on

Install on CentOS from RPM Repository

If you are on CentOS, you can use the following in case you do not like the tarball installation method

sudo yum-config-manager --add-repo
sudo yum install teleport -y

Install on Debian Ubuntu from .deb Package

If you are on Debian based system, you can use the following in case you do not like the tarball installation method

$ curl
$ curl -O
$ sha256sum teleport_5.0.0_amd64.deb
# Verify that the checksums match
$ sudo dpkg -i teleport_5.0.0_amd64.deb
$ which teleport

Install Teleport on macOS

Thanks to Homebrew, telport can be installed easily on macOS as follows:

$ brew install teleport

How To Configure Teleport

When setting up Teleport, its developers team recommends running it with Teleport’s YAML configuration file as shown below:

$ sudo nano /etc/teleport.yaml

    data_dir: /var/lib/teleport
    enabled: true
    cluster_name: "teleport-quickstart"
    - proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765
    enabled: true
        env: staging
    enabled: true
    debug_app: true
    enabled: true

From the configuration above, you will notice the directory teleport data will be kept (/var/lib/teleport). In order for everything to work properly, we have to give that directory requisite permissions so that teleport and tctl can be able to read and write. To accomplish that, run the following command

sudo chmod 755 -R /var/lib/teleport/

After updating the configuration file, we will need to open the requisite ports defined in the file as follows

##On CentOS

sudo firewall-cmd --permanent --add-port=3023,3080,3024,3025/tcp
sudo firewall-cmd --reload

##On Ubuntu

sudo ufw allow 3023,3080,3024,3025/tcp

Configure secure https with Self-singed Certificates

Teleport uses secure https. If you have certificates, you can add them at the end of teleport’s configuration file. For this example, we shall setup a self-signed certificate for our use. Proceed to create it like this:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/teleport2.key -out /etc/pki/tls/certs/teleport2.crt

This will proceed to ask you some questions as shown below. Enter the right ones for your environment. If you do not have DNS, you can add your domain names under /etc/hosts in your servers

Country Name (2 letter code) [XX]:KE
State or Province Name (full name) []:Nairobi
Locality Name (eg, city) [Default City]:Nairobi
Organization Name (eg, company) [Default Company Ltd]:computingforgeeks
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []
Email Address []:[email protected]

After this, update your configuration file with the certificates as shown below

    data_dir: /var/lib/teleport
    enabled: true
    cluster_name: "teleport-quickstart"
    - proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765
    enabled: true
        env: staging
    enabled: true
    debug_app: true
    enabled: true
##Updated/added part of this configuration
      - key_file: /etc/pki/tls/private/teleport2.key
        cert_file: /etc/pki/tls/certs/teleport2.crt

Then restart teleport

sudo systemctl restart teleport

At this stage, you can be able to access Teleport Web UI at: “https://IP-or-Domain-Name:3080“. Simply open up your favorite browser and point it to your server at the specified port (3080). You should see:


But as you will notice, we do not have any users to be able to log into the application. We shall therefore tackle that next.

Create a Teleport user

Just like any other authentication service, teleport requires users and their credentials in order for them to log in and use the servers that are under its protection. Something to note, Teleport will always enforce the use of 2-factor authentication by default. It supports one-time passwords (OTP) and hardware tokens (U2F). This quick start will use OTP – you’ll need an OTP-compatible app which can scan a QR code.

If you do not have the permission to create new users on the Linux host, run tctl users add teleport $(whoami) to explicitly allow Teleport to authenticate as the user that you are currently logged in as.

tctl users add geeks-admin root

User geeks-admin has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h0m0s:
NOTE: Make sure centos8.localdomain:3080 points at a Teleport proxy which users can access.

The users that you specify (such as root in our example) must exist! What this means is that, geeks-admin will be able to log into the servers in Teleport cluster servers as root.

After the command runs, you will see the message it presents on the shell. Copy the url it has provided and continue to setup the new user: “


Once you visit the url on your browser, you will meet a new login page with a QR Code as shown above. In order for you to set up a new user, we recommend using Google Authenticator App from Play Store. Download it and install from play store as shared on the screenshots below.


Once it is downloaded and installed, open it then choose, “Scan a QR code”.


This will open up your camera. Position your camera to read the QR Code and you will see a code presented on your phone. This is the “Two Factor Token” on the Teleport Login page. Enter a new password for the user then the code on your phone under “Two Factor Token” then click “Create Account“.


If all goes well, the new user will be ushered into the dashboard as illustrated below:


Amazing stuff right!

Adding a node to teleport cluster

When you set up Teleport earlier, we configured a strong static token for nodes and apps in the teleport.yaml file. Adding nodes to be part of the cluster is now fairly easy. We are going to use this token in this step. First, install Teleport on the target node, then start it using a command as shown below.

$ sudo teleport start --roles=node \
 --token=f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765 \

[NODE]         Service 5.0.0:v5.0.0-0-gac4971801 is starting on

Review and update auth-server, app-name and app-uri before running this command.

In case you get the error below, delete /var/lib/teleport folder on the node you are trying to add to the cluster and re-run the command above again.

Node failed to establish connection to cluster: Get "": x509: certificate signed by unknown authority. time/sleep.go:148

When you log back into the Teleport Web-UI, you should be able to see the second node on the list of servers as shown below


Logging into the servers via Teleport Web-UI

You can access the terminal of your servers very easily while on your web interface. You simply have to click on the “Connect” button, then choose the right user that will connect to the server. This will allow you to SSH into the server and access the terminal as the user you will choose. Since we only added root user in this example, we shall click on it


And the browser will open a new tab and usher us in.


Concluding Remarks

If you have managed to reach this far, then you are amazing. Teleport is one promising project that inco-operates all of the security features you always envy to have in your environment. Not only does it service servers but also manages Kubernetes clusters and much more. Check it out at Teleport Page and enjoy.


Gravatar Image
A systems engineer with excellent skills in systems administration, cloud computing, systems deployment, virtualization, containers, and a certified ethical hacker.