Teleport – Easiest and Secure Way of Infrastructure Management
Teleport is a certificate authority and access plan for your infrastructure.
Teleport allows you to:
- Access your Databases, Desktops, Kubernetes clusters, SSH servers, and Online applications with a single solution.
- Create sophisticated access controls with fine-grained audit logs and session recordings for each part of your infrastructure.
- Integrate with single sign-on providers such as GitHub, Okta, and Google Workspace to automatically onboard and offboard users.
Teleport is an excellent solution if we want to manage multiple servers using a centralized approach where we can SSH into the servers and grant role-based access to specific users with minimal privileges, Two-Factor authentications, and single-sign-on. All the sessions are secured and monitored.
Teleport is one such open-source software created by Gravitational and offered in a community edition. It can be set up directly or in a containerized environment as an application. To protect access to all of your SSH servers, you should utilize CA-pinning and common industry standards for protocols.
Setting up Teleport
In this step, we will locally install Teleport in the Ubuntu operating system and add the servers we wish to manage using Teleport. Additionally, we'll implement GitHub-based single-sign-on authentication.
1. Execute the following commands for Ubuntu:
sudo curl https://deb.releases.teleport.dev/teleport-pubkey.asc \ -o /usr/share/keyrings/teleport-archive-keyring.asc echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] https://deb.releases.teleport.dev/ stable main" \ | sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null sudo apt-get update sudo apt-get install teleport
Follow this link to learn about other OS/Architectures: https://goteleport.com/docs/installation
2. Follow the below commands to add teleport as a host server:
sudo teleport configure -o file \ --cluster-name=tele.example.com \ --public-addr=tele.example.com:443 \ --cert-file=<path to cert file> \ --key-file=<path to key file>
Next, set up Teleport to give secure access to your web service. Your /etc/teleport.yaml should look something like this.
teleport: nodename: <Name of the node> data_dir: /var/lib/teleport log: output: stderr severity: INFO ca_pin: <Enter CA pin here> auth_service: enabled: "yes" authentication: type: github listen_addr: 0.0.0.0:3025 cluster_name: <Name of the cluster> ssh_service: enabled: "yes" labels: env: dev commands: - name: hostname command: [hostname] period: 1m0s proxy_service: enabled: "yes" listen_addr: 0.0.0.0:3023 web_listen_addr: 0.0.0.0:3080 public_addr: <domain name>:3080 https_keypairs: - key_file: <path to ssl key> cert_file: <Path to .crt file>
3. Add servers or nodes to the host server:
We will receive a CA pin and secret token by running ‘tctl nodes add’ in the host server. Now SSH into the node server and repeat step 1 to install teleport.
Create /etc/teleport.yaml in this node server
teleport: nodename: <name of the node> data_dir: /var/lib/teleport auth_token: <Got from host server> auth_servers: - tele.example.com:3080 log: output: stderr severity: INFO ca_pin: <got from host server> auth_service: enabled: no ssh_service: enabled: yes labels: environment: dev name: <name of the node> proxy_service: enabled: no
Now run teleport start
systemctl enable teleport --now this command creates a symlink and starts teleport in the background)
4. Add SSO roles and user roles:
kind: github version: v3 metadata: # connector name that will be used with `tsh --auth=github login` name: github spec: client_id: <> # client ID of Github OAuth app client_secret: <> # client secret of Github OAuth app # connector display name that will be shown on web UI login screen display: Github # callback URL that will be called after successful authentication redirect_url: https://tele.example.com:3080/v1/webapi/github/callback # mapping of org/team memberships onto allowed logins and roles teams_to_logins: - organization: <> # Github organization name team: <> # Github team name within that organization # allowed logins for users in this org/team logins: - sso-user (admin role) - organization: <> # Github organization name team: <> # Github team name within that organization # allowed logins for users in this org/team logins: - developer (user role)
kind: role version: v3 metadata: name: sso-users spec: allow: logins: [ubuntu] node_labels: '*': '*' rules: - resources: [role] verbs: [list, create, read, update, delete] - resources: [auth_connector] verbs: [list, create, read, update, delete] - resources: [session] verbs: [list, read] - resources: [trusted_cluster] verbs: [list, create, read, update, delete] - resources: [event] verbs: [list, read] - resources: [user] verbs: [list,create,read,update,delete] - resources: [token] verbs: [list,create,read,update,delete]
kind: role version: v3 metadata: name: developer spec: allow: logins: [<local server username for login>] node_labels: 'name': - <name of the node/server where we have to login>
Execute the below commands to add the above roles
tctl create -f github.yaml
tctl create -f sso.yaml
tctl create -f developer.yaml
5. Navigate to https://tele.example.com:3080
A login page will appear; sign in with your GitHub account to view a teleport console with a list of all the nodes available for you to access as a developer.