6 KiB
obj | website | repo |
---|---|---|
application | https://goteleport.com | https://github.com/gravitational/teleport |
Teleport
Teleport provides connectivity, authentication, access controls and audit for infrastructure.
It includes an identity-aware access proxy, a CA that issues short-lived certificates, a unified access control system and a tunneling system to access resources behind the firewall.
Teleport understands the SSH, HTTPS, RDP, Kubernetes API, MySQL, MongoDB and PostgreSQL wire protocols, plus many others. It can integrate with Single Sign-On providers and enables you to apply access policies using infrastructure-as-code and GitOps tools.
Setup
You need a domain pointing at your teleport proxy instance.
Docker-Compose:
version: '3'
services:
teleport:
image: public.ecr.aws/gravitational/teleport:14
restart: unless-stopped
hostname: <yourdomain.com>
ports:
- "3080:3080" # Web UI
- "3022:3022" # SSH
- "8443:8443" # HTTPS
volumes:
- ./config/teleport.yaml:/etc/teleport/teleport.yaml
- ./data:/var/lib/teleport
teleport.yml:
version: v3
teleport:
nodename: <yourdomain.com>
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
format:
output: text
ca_pin: ""
diag_addr: ""
auth_service:
enabled: "yes"
listen_addr: 0.0.0.0:3025
proxy_listener_mode: multiplex
authentication:
type: local
second_factor: true
webauthn:
rp_id: <yourdomain.com>
connector_name: passwordless
ssh_service:
enabled: "no"
proxy_service:
enabled: "yes"
public_addr: <yourdomain.com>:443
https_keypairs: []
https_keypairs_reload_interval: 0s
acme: {}
SSH Agent Setup
- Install teleport on your host:
curl https://goteleport.com/static/install.sh | bash -s 14.2.0
- On your teleport proxy, create a join token:
tctl tokens add --type=node --format=text > token.file
- Join the server to the cluster:
sudo teleport node configure \ --output=file:///etc/teleport.yaml \ --token=/path/to/token.file \ --proxy=tele.example.com:443
- Enable Teleport Service
[Unit]
Description=Teleport Service
After=network.target
[Service]
Type=simple
Restart=on-failure
EnvironmentFile=-/etc/default/teleport
ExecStart=/usr/local/bin/teleport start --config /etc/teleport.yaml --pid-file=/run/teleport.pid
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/teleport.pid
LimitNOFILE=524288
[Install]
WantedBy=multi-user.target
tctl
Admin tool for the Teleport Access Platform
Usage: tctl [<flags>] <command> [<args> ...]
Commands
users add
Generate a user invitation token.
Usage: tctl users add --roles=ROLES [<flags>] <account>
Options
Option | Description |
---|---|
--logins | List of allowed SSH logins for the new user |
users update
Update user account.
Usage: tctl users update [<flags>] <account>
Options
Option | Description |
---|---|
--set-roles |
List of roles for the user to assume, replaces current roles |
--set-logins |
List of allowed SSH logins for the user, replaces current logins |
users ls
Lists all user accounts.
Usage: tctl users ls
users rm
Deletes user accounts.
Usage: tctl users rm <logins>
users reset
Reset user password and generate a new token.
Usage: tctl users reset <account>
nodes add
Generate a node invitation token.
Usage: tctl nodes add [<flags>]
Options
Option | Description |
---|---|
--roles |
Comma-separated list of roles for the new node to assume |
--ttl |
Time to live for a generated token |
nodes ls
List all active SSH nodes within the cluster.
Usage: tctl nodes ls [<flags>] [<labels>]
tokens add
Create a invitation token.
Usage: tctl tokens add --type=TYPE [<flags>]
Options
Option | Description |
---|---|
--type |
Type(s) of token to add, e.g. --type=node,app,db,proxy,etc |
--labels |
Set token labels, e.g. env=prod,region=us-west |
--ttl |
Set expiration time for token, default is 30 minutes |
--format |
Output format, 'text', 'json', or 'yaml' |
tokens rm
Delete/revoke an invitation token.
Usage: tctl tokens rm [<token>]
tokens ls
List node and user invitation tokens.
Usage: tctl tokens ls
status
Report cluster status.
Usage: tctl status
tsh
Teleport Command Line client for interacting with your infrastructure.
Usage: tsh [options...] <command> [<args> ...]
Options
Option | Description |
---|---|
--proxy |
Teleport proxy address |
--user |
Teleport user, defaults to current local user |
Commands
ssh
Run shell or execute a command on a remote SSH node.
Usage: tsh ssh [<flags>] <[user@]host> [<command>...]
scp
Transfer files to a remote SSH node.
Usage: tsh scp [<flags>] <from, to>...
ls
List remote SSH nodes.
Usage: tsh ls [<flags>] [<labels>]
login
Log in to a cluster and retrieve the session certificate.
Usage: tsh login [<flags>] [<cluster>]
logout
Delete a cluster certificate.
Usage: tsh logout
status
Display the list of proxy servers and retrieved certificates.
Usage: tsh status
config
Print SSH config details.
This allows you to use regular ssh
command to connect to teleport servers.
tsh config >> ~/.ssh/config