jmarya/knowledge
jmarya/knowledge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
knowledge/technology/applications/Teleport.md
JMARyA e851e2de48
refactor
2023-12-19 02:39:56 +01:00

6 KiB
Raw Blame History

obj website repo
application https://goteleport.com https://github.com/gravitational/teleport

Teleport

Teleport provides connectivity, authentication, access controls and audit for infrastructure.

It includes an identity-aware access proxy, a CA that issues short-lived certificates, a unified access control system and a tunneling system to access resources behind the firewall.

Teleport understands the SSH, HTTPS, RDP, Kubernetes API, MySQL, MongoDB and PostgreSQL wire protocols, plus many others. It can integrate with Single Sign-On providers and enables you to apply access policies using infrastructure-as-code and GitOps tools.

Setup

You need a domain pointing at your teleport proxy instance.

Docker-Compose:

version: '3'
services:
  teleport:
    image: public.ecr.aws/gravitational/teleport:14
    restart: unless-stopped
    hostname: <yourdomain.com>
    ports:
      - "3080:3080"  # Web UI
      - "3022:3022"  # SSH
      - "8443:8443"  # HTTPS
    volumes:
      - ./config/teleport.yaml:/etc/teleport/teleport.yaml
      - ./data:/var/lib/teleport

teleport.yml:

version: v3
teleport:
  nodename: <yourdomain.com>
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  proxy_listener_mode: multiplex
  authentication:
    type: local
    second_factor: true
    webauthn:
        rp_id: <yourdomain.com>
    connector_name: passwordless
ssh_service:
  enabled: "no"
proxy_service:
  enabled: "yes"
  public_addr: <yourdomain.com>:443
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}

SSH Agent Setup

  1. Install teleport on your host: 
    curl https://goteleport.com/static/install.sh | bash -s 14.2.0
  2. On your teleport proxy, create a join token: 
    tctl tokens add --type=node --format=text > token.file
  3. Join the server to the cluster: 
    sudo teleport node configure \
--output=file:///etc/teleport.yaml \
--token=/path/to/token.file \
--proxy=tele.example.com:443
  4. Enable Teleport Service
[Unit]
Description=Teleport Service
After=network.target

[Service]
Type=simple
Restart=on-failure
EnvironmentFile=-/etc/default/teleport
ExecStart=/usr/local/bin/teleport start --config /etc/teleport.yaml --pid-file=/run/teleport.pid
ExecReload=/bin/kill -HUP $MAINPID
PIDFile=/run/teleport.pid
LimitNOFILE=524288

[Install]
WantedBy=multi-user.target

tctl

Admin tool for the Teleport Access Platform
Usage: tctl [<flags>] <command> [<args> ...]

Commands

users add

Generate a user invitation token.
Usage: tctl users add --roles=ROLES [<flags>] <account>

Options
Option Description
--logins List of allowed SSH logins for the new user

users update

Update user account.
Usage: tctl users update [<flags>] <account>

Options
Option Description
--set-roles List of roles for the user to assume, replaces current roles
--set-logins List of allowed SSH logins for the user, replaces current logins

users ls

Lists all user accounts.
Usage: tctl users ls

users rm

Deletes user accounts.
Usage: tctl users rm <logins>

users reset

Reset user password and generate a new token.
Usage: tctl users reset <account>

nodes add

Generate a node invitation token.
Usage: tctl nodes add [<flags>]

Options
Option Description
--roles Comma-separated list of roles for the new node to assume
--ttl Time to live for a generated token

nodes ls

List all active SSH nodes within the cluster.
Usage: tctl nodes ls [<flags>] [<labels>]

tokens add

Create a invitation token.
Usage: tctl tokens add --type=TYPE [<flags>]

Options
Option Description
--type Type(s) of token to add, e.g. --type=node,app,db,proxy,etc
--labels Set token labels, e.g. env=prod,region=us-west
--ttl Set expiration time for token, default is 30 minutes
--format Output format, 'text', 'json', or 'yaml'

tokens rm

Delete/revoke an invitation token.
Usage: tctl tokens rm [<token>]

tokens ls

List node and user invitation tokens.
Usage: tctl tokens ls

status

Report cluster status.
Usage: tctl status

tsh

Teleport Command Line client for interacting with your infrastructure.
Usage: tsh [options...] <command> [<args> ...]

Options

Option Description
--proxy Teleport proxy address
--user Teleport user, defaults to current local user

Commands

ssh

Run shell or execute a command on a remote SSH node.
Usage: tsh ssh [<flags>] <[user@]host> [<command>...]

scp

Transfer files to a remote SSH node.
Usage: tsh scp [<flags>] <from, to>...

ls

List remote SSH nodes.
Usage: tsh ls [<flags>] [<labels>]

login

Log in to a cluster and retrieve the session certificate.
Usage: tsh login [<flags>] [<cluster>]

logout

Delete a cluster certificate.
Usage: tsh logout

status

Display the list of proxy servers and retrieved certificates.
Usage: tsh status

config

Print SSH config details.
This allows you to use regular ssh command to connect to teleport servers.

tsh config >> ~/.ssh/config