In this dispensation of interconnected systems, it is utterly crucial that every asset, every document and every information is kept as far as possible from prying eyes and ears. What makes this worse is that there is a burgeoning number of these unsavory eyes and ears and keeping them off your systems is getting harder and trickier every waking day. So what to do? Innovation from good minds in our world have come up with solutions that can at least ward them off as well as making their efforts harder. Teleport is one of these solutions and we shall descend into an elaborate disquisition about it in this brief guide.
Gravitational Teleport is a gateway for managing access to clusters of Linux servers via SSH or the Kubernetes API. It is intended to be used instead of traditional OpenSSH for organizations that need to: Source: Teleport Documentation
- Secure their infrastructure and comply with security best-practices and regulatory requirements.
- Have complete visibility into activity happening across their infrastructure.
- Reduce the operational overhead of privileged access management across both traditional and cloud-native infrastructure.
Comprehensive Features of Teleport
Teleport offers impressive new features that traditional administrators and developers are going to enjoy. They inlude:
- Single SSH/Kubernetes access gateway for an entire organization.
- SSH certificate based authentication instead of static keys.
- Avoid key distribution and trust on first use issues by using auto-expiring keys signed by a cluster certificate authority (CA).
- Enforce 2nd factor authentication.
- Connect to clusters located behind firewalls without direct Internet access via SSH bastions.
- Collaboratively troubleshoot issues through session sharing.
- Discover online servers and Docker containers within a cluster with dynamic node labels.
- A single tool (“pane of glass”) to manage RBAC for both SSH and Kubernetes.
- Audit log with session recording/replay.
- Kubernetes audit log, including the recording of interactive commands executed via kubectl.
- Ability to run in “agentless” mode, i.e. most Teleport features are available on clusters with pre-existing SSH daemons, usually sshd.
Adapted from Teleport official website, Teleport comes as three binaries: the teleport daemon, the tsh client, and the tctl administration tool. They are dependency-free, written in a compiled language, and run on any UNIX-compatible operating system, such as Linux, FreeBSD, or macOS. Teleport is open source under the Apache 2 license and the source code is available on Github.
Teleport is easy to deploy. It is a traditional Linux daemon similar to sshd and usually runs as a systemd service.
Installation of Teleport Tool
Teleport core service teleport and admin tool tctl have been designed to run on Linux and Mac operating systems. The Teleport user client tsh and UI are available for Linux, Mac and Windows operating systems.
Install Teleport on Linux
The following examples install the 64-bit version of Teleport binaries, but 32-bit (i386) and ARM binaries are also available. Check the Latest Release page for the most up-to-date information.
Install from the tarball
curl -O https://get.gravitational.com/teleport-v5.0.0-linux-amd64-bin.tar.gz tar -xzf teleport-v5.0.0-linux-amd64-bin.tar.gz cd teleport sudo ./install Teleport binaries have been copied to /usr/local/bin
Configure teleport SystemD service
We can take advantage of systemd to manage teleport’s lifecycle processes such as starting and stopping the service. Create teleport systemd service thus:
$ sudo vim /etc/systemd/system/teleport.service [Unit] Description=Teleport SSH Service After=network.target [Service] Type=simple Restart=on-failure EnvironmentFile=-/etc/default/teleport ExecStart=/usr/local/bin/teleport start --pid-file=/run/teleport.pid ExecReload=/bin/kill -HUP $MAINPID PIDFile=/run/teleport.pid LimitNOFILE=8192 [Install] WantedBy=multi-user.target
Then reload the daemon, start and enable the service
sudo systemctl daemon-reload sudo systemctl start teleport sudo systemctl enable teleport
You can check its status to confirm that everything was started without any fuss
$ sudo systemctl status teleport ● teleport.service - Teleport SSH Service Loaded: loaded (/etc/systemd/system/teleport.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-12-14 07:31:33 UTC; 1h 2min ago Main PID: 2053 (teleport) Tasks: 9 (limit: 11004) Memory: 35.0M CGroup: /system.slice/teleport.service └─2053 /usr/local/bin/teleport start --pid-file=/run/teleport.pid Dec 14 07:31:35 centos8.localdomain teleport: [NODE] Service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3022. Dec 14 07:31:35 centos8.localdomain teleport: [PROXY] Reverse tunnel service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3024. Dec 14 07:31:35 centos8.localdomain teleport: [PROXY] Web proxy service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3080. Dec 14 07:31:35 centos8.localdomain teleport: [PROXY] SSH proxy service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3023.
Install on CentOS from RPM Repository
If you are on CentOS, you can use the following in case you do not like the tarball installation method
sudo yum-config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo sudo yum install teleport -y
Install on Debian Ubuntu from .deb Package
If you are on Debian based system, you can use the following in case you do not like the tarball installation method
$ curl https://get.gravitational.com/teleport_5.0.0_amd64.deb.sha256 $ curl -O https://get.gravitational.com/teleport_5.0.0_amd64.deb $ sha256sum teleport_5.0.0_amd64.deb # Verify that the checksums match $ sudo dpkg -i teleport_5.0.0_amd64.deb $ which teleport /usr/local/bin/teleport
Install Teleport on macOS
Thanks to Homebrew, telport can be installed easily on macOS as follows:
$ brew install teleport
How To Configure Teleport
When setting up Teleport, its developers team recommends running it with Teleport’s YAML configuration file as shown below:
$ sudo nano /etc/teleport.yaml teleport: data_dir: /var/lib/teleport auth_service: enabled: true cluster_name: "teleport-quickstart" listen_addr: 0.0.0.0:3025 tokens: - proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765 public_addr: 172.20.192.38:3025 ssh_service: enabled: true labels: env: staging app_service: enabled: true debug_app: true proxy_service: enabled: true listen_addr: 0.0.0.0:3023 web_listen_addr: 0.0.0.0:3080 tunnel_listen_addr: 0.0.0.0:3024 public_addr: 172.20.192.38:3080
From the configuration above, you will notice the directory teleport data will be kept (/var/lib/teleport). In order for everything to work properly, we have to give that directory requisite permissions so that teleport and tctl can be able to read and write. To accomplish that, run the following command
sudo chmod 755 -R /var/lib/teleport/
After updating the configuration file, we will need to open the requisite ports defined in the file as follows
##On CentOS sudo firewall-cmd --permanent --add-port=3023,3080,3024,3025/tcp sudo firewall-cmd --reload ##On Ubuntu sudo ufw allow 3023,3080,3024,3025/tcp
Configure secure https with Self-singed Certificates
Teleport uses secure https. If you have certificates, you can add them at the end of teleport’s configuration file. For this example, we shall setup a self-signed certificate for our use. Proceed to create it like this:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/teleport2.key -out /etc/pki/tls/certs/teleport2.crt
This will proceed to ask you some questions as shown below. Enter the right ones for your environment. If you do not have DNS, you can add your domain names under /etc/hosts in your servers
----- Country Name (2 letter code) [XX]:KE State or Province Name (full name) :Nairobi Locality Name (eg, city) [Default City]:Nairobi Organization Name (eg, company) [Default Company Ltd]:computingforgeeks Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :teleport.computingforgeeks.com Email Address :[email protected]
After this, update your configuration file with the certificates as shown below
teleport: data_dir: /var/lib/teleport auth_service: enabled: true cluster_name: "teleport-quickstart" listen_addr: 0.0.0.0:3025 tokens: - proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765 public_addr: 172.20.192.38:3025 ssh_service: enabled: true labels: env: staging app_service: enabled: true debug_app: true proxy_service: enabled: true listen_addr: 0.0.0.0:3023 web_listen_addr: 0.0.0.0:3080 tunnel_listen_addr: 0.0.0.0:3024 ##Updated/added part of this configuration public_addr: 172.20.192.38:3080 https_keypairs: - key_file: /etc/pki/tls/private/teleport2.key cert_file: /etc/pki/tls/certs/teleport2.crt
Then restart teleport
sudo systemctl restart teleport
At this stage, you can be able to access Teleport Web UI at: “https://IP-or-Domain-Name:3080“. Simply open up your favorite browser and point it to your server at the specified port (3080). You should see:
But as you will notice, we do not have any users to be able to log into the application. We shall therefore tackle that next.
Create a Teleport user
Just like any other authentication service, teleport requires users and their credentials in order for them to log in and use the servers that are under its protection. Something to note, Teleport will always enforce the use of 2-factor authentication by default. It supports one-time passwords (OTP) and hardware tokens (U2F). This quick start will use OTP – you’ll need an OTP-compatible app which can scan a QR code.
If you do not have the permission to create new users on the Linux host, run tctl users add teleport $(whoami) to explicitly allow Teleport to authenticate as the user that you are currently logged in as.
tctl users add geeks-admin root User geeks-admin has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h0m0s: https://teleport.computingforgeeks.com:3080/web/invite/2ef0091feea7fea0a210f53a1d8751d3 NOTE: Make sure centos8.localdomain:3080 points at a Teleport proxy which users can access.
The users that you specify (such as root in our example) must exist! What this means is that, geeks-admin will be able to log into the servers in Teleport cluster servers as root.
After the command runs, you will see the message it presents on the shell. Copy the url it has provided and continue to setup the new user: “https://teleport.computingforgeeks.com:3080/web/invite/2ef0091feea7fea0a210f53a1d8751d3“
Once you visit the url on your browser, you will meet a new login page with a QR Code as shown above. In order for you to set up a new user, we recommend using Google Authenticator App from Play Store. Download it and install from play store as shared on the screenshots below.
Once it is downloaded and installed, open it then choose, “Scan a QR code”.
This will open up your camera. Position your camera to read the QR Code and you will see a code presented on your phone. This is the “Two Factor Token” on the Teleport Login page. Enter a new password for the user then the code on your phone under “Two Factor Token” then click “Create Account“.
If all goes well, the new user will be ushered into the dashboard as illustrated below:
Amazing stuff right!
Adding a node to teleport cluster
When you set up Teleport earlier, we configured a strong static token for nodes and apps in the teleport.yaml file. Adding nodes to be part of the cluster is now fairly easy. We are going to use this token in this step. First, install Teleport on the target node, then start it using a command as shown below.
$ sudo teleport start --roles=node \ --token=f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765 \ --auth-server=teleport.computingforgeeks.com:3025 [NODE] Service 5.0.0:v5.0.0-0-gac4971801 is starting on 0.0.0.0:3022.
Review and update auth-server, app-name and app-uri before running this command.
In case you get the error below, delete /var/lib/teleport folder on the node you are trying to add to the cluster and re-run the command above again.
Node failed to establish connection to cluster: Get "https://172.20.192.38:3025/v1/webapi/find": x509: certificate signed by unknown authority. time/sleep.go:148
When you log back into the Teleport Web-UI, you should be able to see the second node on the list of servers as shown below
Logging into the servers via Teleport Web-UI
You can access the terminal of your servers very easily while on your web interface. You simply have to click on the “Connect” button, then choose the right user that will connect to the server. This will allow you to SSH into the server and access the terminal as the user you will choose. Since we only added root user in this example, we shall click on it
And the browser will open a new tab and usher us in.
If you have managed to reach this far, then you are amazing. Teleport is one promising project that inco-operates all of the security features you always envy to have in your environment. Not only does it service servers but also manages Kubernetes clusters and much more. Check it out at Teleport Page and enjoy.