216 lines
No EOL
6 KiB
Markdown
216 lines
No EOL
6 KiB
Markdown
---
|
|
obj: application
|
|
website: https://goteleport.com
|
|
repo: https://github.com/gravitational/teleport
|
|
---
|
|
# Teleport
|
|
Teleport provides connectivity, authentication, access controls and audit for infrastructure.
|
|
|
|
It includes an identity-aware access proxy, a CA that issues short-lived certificates, a unified access control system and a tunneling system to access resources behind the firewall.
|
|
|
|
Teleport understands the [SSH](../network/SSH.md), HTTPS, RDP, Kubernetes API, MySQL, [MongoDB](../development/MongoDB.md) and PostgreSQL wire protocols, plus many others. It can integrate with Single Sign-On providers and enables you to apply access policies using infrastructure-as-code and GitOps tools.
|
|
|
|
## Setup
|
|
You need a [domain](../../internet/Domain.md) pointing at your teleport proxy instance.
|
|
|
|
Docker-Compose:
|
|
```yml
|
|
version: '3'
|
|
services:
|
|
teleport:
|
|
image: public.ecr.aws/gravitational/teleport:14
|
|
restart: unless-stopped
|
|
hostname: <yourdomain.com>
|
|
ports:
|
|
- "3080:3080" # Web UI
|
|
- "3022:3022" # SSH
|
|
- "8443:8443" # HTTPS
|
|
volumes:
|
|
- ./config/teleport.yaml:/etc/teleport/teleport.yaml
|
|
- ./data:/var/lib/teleport
|
|
```
|
|
|
|
teleport.yml:
|
|
```yml
|
|
version: v3
|
|
teleport:
|
|
nodename: <yourdomain.com>
|
|
data_dir: /var/lib/teleport
|
|
log:
|
|
output: stderr
|
|
severity: INFO
|
|
format:
|
|
output: text
|
|
ca_pin: ""
|
|
diag_addr: ""
|
|
auth_service:
|
|
enabled: "yes"
|
|
listen_addr: 0.0.0.0:3025
|
|
proxy_listener_mode: multiplex
|
|
authentication:
|
|
type: local
|
|
second_factor: true
|
|
webauthn:
|
|
rp_id: <yourdomain.com>
|
|
connector_name: passwordless
|
|
ssh_service:
|
|
enabled: "no"
|
|
proxy_service:
|
|
enabled: "yes"
|
|
public_addr: <yourdomain.com>:443
|
|
https_keypairs: []
|
|
https_keypairs_reload_interval: 0s
|
|
acme: {}
|
|
```
|
|
|
|
## [SSH](../network/SSH.md) Agent Setup
|
|
1. Install teleport on your host:
|
|
```shell
|
|
curl https://goteleport.com/static/install.sh | bash -s 14.2.0
|
|
```
|
|
2. On your teleport proxy, create a join token:
|
|
```shell
|
|
tctl tokens add --type=node --format=text > token.file
|
|
```
|
|
3. Join the server to the cluster:
|
|
```shell
|
|
sudo teleport node configure \
|
|
--output=file:///etc/teleport.yaml \
|
|
--token=/path/to/token.file \
|
|
--proxy=tele.example.com:443
|
|
```
|
|
4. Enable Teleport Service
|
|
```shell
|
|
[Unit]
|
|
Description=Teleport Service
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
Restart=on-failure
|
|
EnvironmentFile=-/etc/default/teleport
|
|
ExecStart=/usr/local/bin/teleport start --config /etc/teleport.yaml --pid-file=/run/teleport.pid
|
|
ExecReload=/bin/kill -HUP $MAINPID
|
|
PIDFile=/run/teleport.pid
|
|
LimitNOFILE=524288
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
```
|
|
|
|
|
|
## `tctl`
|
|
Admin tool for the Teleport Access Platform
|
|
Usage: `tctl [<flags>] <command> [<args> ...]`
|
|
|
|
### Commands
|
|
#### users add
|
|
Generate a user invitation token.
|
|
Usage: `tctl users add --roles=ROLES [<flags>] <account>`
|
|
|
|
##### Options
|
|
| Option | Description |
|
|
| -------- | ------------------------------------------- |
|
|
| --logins | List of allowed SSH logins for the new user |
|
|
|
|
#### users update
|
|
Update user account.
|
|
Usage: `tctl users update [<flags>] <account>`
|
|
|
|
##### Options
|
|
| Option | Description |
|
|
| -------------- | ---------------------------------------------------------------- |
|
|
| `--set-roles` | List of roles for the user to assume, replaces current roles |
|
|
| `--set-logins` | List of allowed SSH logins for the user, replaces current logins |
|
|
|
|
#### users ls
|
|
Lists all user accounts.
|
|
Usage: `tctl users ls`
|
|
|
|
#### users rm
|
|
Deletes user accounts.
|
|
Usage: `tctl users rm <logins>`
|
|
|
|
#### users reset
|
|
Reset user password and generate a new token.
|
|
Usage: `tctl users reset <account>`
|
|
|
|
#### nodes add
|
|
Generate a node invitation token.
|
|
Usage: `tctl nodes add [<flags>]`
|
|
|
|
##### Options
|
|
| Option | Description |
|
|
| --------- | -------------------------------------------------------- |
|
|
| `--roles` | Comma-separated list of roles for the new node to assume |
|
|
| `--ttl` | Time to live for a generated token |
|
|
|
|
#### nodes ls
|
|
List all active SSH nodes within the cluster.
|
|
Usage: `tctl nodes ls [<flags>] [<labels>]`
|
|
|
|
#### tokens add
|
|
Create a invitation token.
|
|
Usage: `tctl tokens add --type=TYPE [<flags>]`
|
|
|
|
##### Options
|
|
| Option | Description |
|
|
| ---------- | ------------------------------------------------------------ |
|
|
| `--type` | Type(s) of token to add, e.g. `--type=node,app,db,proxy,etc` |
|
|
| `--labels` | Set token labels, e.g. `env=prod,region=us-west` |
|
|
| `--ttl` | Set expiration time for token, default is 30 minutes |
|
|
| `--format` | Output format, 'text', 'json', or 'yaml' |
|
|
|
|
#### tokens rm
|
|
Delete/revoke an invitation token.
|
|
Usage: `tctl tokens rm [<token>]`
|
|
|
|
#### tokens ls
|
|
List node and user invitation tokens.
|
|
Usage: `tctl tokens ls`
|
|
|
|
#### status
|
|
Report cluster status.
|
|
Usage: `tctl status`
|
|
|
|
## `tsh`
|
|
Teleport Command Line client for interacting with your infrastructure.
|
|
Usage: `tsh [options...] <command> [<args> ...]`
|
|
|
|
### Options
|
|
| Option | Description |
|
|
| --------- | --------------------------------------------- |
|
|
| `--proxy` | Teleport proxy address |
|
|
| `--user` | Teleport user, defaults to current local user |
|
|
|
|
### Commands
|
|
#### ssh
|
|
Run shell or execute a command on a remote SSH node.
|
|
Usage: `tsh ssh [<flags>] <[user@]host> [<command>...]`
|
|
|
|
##### scp
|
|
Transfer files to a remote SSH node.
|
|
Usage: `tsh scp [<flags>] <from, to>...`
|
|
|
|
##### ls
|
|
List remote SSH nodes.
|
|
Usage: `tsh ls [<flags>] [<labels>]`
|
|
|
|
##### login
|
|
Log in to a cluster and retrieve the session certificate.
|
|
Usage: `tsh login [<flags>] [<cluster>]`
|
|
|
|
##### logout
|
|
Delete a cluster certificate.
|
|
Usage: `tsh logout`
|
|
|
|
##### status
|
|
Display the list of proxy servers and retrieved certificates.
|
|
Usage: `tsh status`
|
|
|
|
##### config
|
|
Print [SSH](../network/SSH.md) config details.
|
|
This allows you to use regular `ssh` command to connect to teleport servers.
|
|
```shell
|
|
tsh config >> ~/.ssh/config
|
|
``` |