3d02ae6279
* mfa: per-session MFA certs for SSH and Kubernetes This is client-side support for requesting single-use certs with an MFA check. The client doesn't know whether they need MFA check when accessing a resource, this is decided during an RBAC check on the server. So a client will always try to get a single-use cert, and the server will respond with NotNeeded if MFA is not required. This is an extra round-trip for every session which causes ~20% slowdown in SSH logins: ``` $ hyperfine '/tmp/tsh-old ssh talos date' '/tmp/tsh-new ssh talos date' Benchmark #1: /tmp/tsh-old ssh talos date Time (mean ± σ): 49.9 ms ± 1.0 ms [User: 15.1 ms, System: 7.4 ms] Range (min … max): 48.4 ms … 54.1 ms 59 runs Benchmark #2: /tmp/tsh-new ssh talos date Time (mean ± σ): 60.2 ms ± 1.6 ms [User: 19.1 ms, System: 8.3 ms] Range (min … max): 59.0 ms … 69.7 ms 50 runs Warning: Statistical outliers were detected. Consider re-running this benchmark on a quiet PC without any interferences from other programs. It might help to use the '--warmup' or '--prepare' options. Summary '/tmp/tsh-old ssh talos date' ran 1.21 ± 0.04 times faster than '/tmp/tsh-new ssh talos date' ``` Another few other internal changes: - client.LocalKeyAgent will now always have a non-nil LocalKeyStore. Previously, it would be nil (e.g. in a web UI handler or when using an identity file) which easily causes panics. I added a noLocalKeyStore type instead that returns errors from all methods. - requesting a user cert with a TTL < 1min will now succeed and return a 1min cert instead of failing * Capture access approvals on MFA-issued certs * Address review feedback * Address review feedback * mfa: accept unknown nodes during short-term MFA cert creation An unknown node could be an OpenSSH node set up via https://goteleport.com/teleport/docs/openssh-teleport/ In this case, we shouldn't prevent the user from connecting. There's a small risk of authz bypass - an attacker might know a different name/IP for a registered node which Teleport doesn't know about. But a Teleport node will still check RBAC and reject the connection. * Validate username against unmapped user identity IssueUserCertsWithMFA is called on the leaf auth server in case of trusted clusters. Username in the request object will be that of the original unmapped caller. * mfa: add IsMFARequired RPC This RPC is ran before every connection to check whether MFA is required. If a connection is against the leaf cluster, this request is forwarded from root to leaf for evaluation. * Fix integration tests * Correctly treat "Username" as login name in IsMFARequired Also, move the logic into auth.Server out of ServerWithRoles. * Fix TestHA * Address review feedback |
||
|---|---|---|
| .github | ||
| api | ||
| assets | ||
| build.assets | ||
| docker | ||
| docs | ||
| e@3ec91b6ad8 | ||
| examples | ||
| fixtures | ||
| integration | ||
| lib | ||
| rfd | ||
| tool | ||
| vagrant | ||
| vendor | ||
| webassets@778fa7368f | ||
| .drone.yml | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmodules | ||
| CHANGELOG.md | ||
| CODE_OF_CONDUCT.md | ||
| constants.go | ||
| CONTRIBUTING.md | ||
| doc.go | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| Makefile | ||
| metrics.go | ||
| README.md | ||
| roles.go | ||
| roles_test.go | ||
| version.go | ||
| version.mk | ||
Teleport
Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, Kubernetes API, MySQL and PostgreSQL wire protocols.
On a server side, Teleport is a single binary which enables convenient secure access to behind-NAT resources such as:
- SSH nodes - SSH works in browsers too!
- Kubernetes clusters
- PostgreSQL and MySQL databases
- Internal Web apps
Teleport is trivial to setup as a Linux daemon or in a Kubernetes pod and it's rapidly
replacing legacy sshd based setups at organizations who need:
- Developer convenience of having instant secure access to everything they need across many environments and cloud providers.
- Audit log with session recording/replay for multiple protocols
- Easily manage trust between teams, organizations and data centers.
- Role-based access control (RBAC) and flexible access workflows (one-time access requests)
In addition to its hallmark features, Teleport is interesting for smaller teams because it facilitates easy adoption of the best infrastructure security practices like:
- No need to manage shared secrets such as SSH keys: Teleport uses certificate-based access with automatic certificate expiration time for all protocols.
- 2nd factor authentication (2FA) for everything.
- Collaboratively troubleshoot issues through session sharing.
- Single sign-on (SSO) for everything via Github Auth, OpenID Connect or SAML with endpoints like Okta or Active Directory.
- Infrastructure introspection: every SSH node, database instance, Kubernetes cluster or an internal web app and its status can be queried via CLI and Web UI.
Teleport is built on top of the high-quality Golang SSH
implementation and it is fully compatible with OpenSSH and can be used with
sshd servers and ssh clients.
| Project Links | Description |
|---|---|
| Teleport Website | The official website of the project. |
| Documentation | Admin guide, user manual and more. |
| Demo Video | 5-minute video overview of the UI. |
| Teleconsole | The free service to "invite" SSH clients behind NAT, built on top of Teleport. |
| Blog | Our blog where we publish Teleport news. |
| Forum | Ask us a setup question, post your tutorial, feedback or idea on our forum. |
| Slack | Need help with set-up? Ping us in Slack channel. |
Installing and Running
Download the latest binary release,
unpack the .tar.gz and run sudo ./install. This will copy Teleport binaries into
/usr/local/bin.
Then you can run Teleport as a single-node cluster:
$ sudo teleport start
In a production environment Teleport must run as root. But to play, just do chown $USER /var/lib/teleport
and run it under $USER, in this case you will not be able to login as someone else though.
Docker
Deploy Teleport
If you wish to deploy Teleport inside a Docker container:
# This command will pull the Teleport container image for version 5.0
# Replace 5.0 with the version you need:
$ docker pull quay.io/gravitational/teleport:5.0
View latest tags on Quay.io | gravitational/teleport
For Local Testing and Development
Follow instructions at docker/README
Building Teleport
Teleport source code consists of the actual Teleport daemon binary written in Golang, and also of a web UI (a git submodule located in /webassets directory) written in Javascript.
Make sure you have Golang v1.15 or newer, then run:
# get the source & build:
$ git clone https://github.com/gravitational/teleport.git
$ cd teleport
$ make full
# create the default data directory before starting:
$ sudo mkdir -p -m0700 /var/lib/teleport
$ sudo chown $USER /var/lib/teleport
If the build succeeds the binaries will be placed in
$GOPATH/src/github.com/gravitational/teleport/build
NOTE: The Go compiler is somewhat sensitive to amount of memory: you will need at least 1GB of virtual memory to compile Teleport. 512MB instance without swap will not work.
NOTE: This will build the latest version of Teleport, regardless of whether it is stable. If you want to build the latest stable release, git checkout to that tag (e.g. git checkout v5.0.0) before running make full.
Web UI
Teleport Web UI is located in the Gravitational Webapps repo.
Rebuilding Web UI for development
You can clone that repository and rebuild teleport UI package with:
$ git clone git@github.com:gravitational/webapps.git
$ cd webapps
$ make build-teleport
Then you can replace Teleport Web UI files with the one found in the generated /dist folder.
To enable speedy iterations on the Web UI, you can run a local web-dev server.
You can also tell teleport to load the Web UI assets from the source directory.
To enable this behavior, set the environment variable DEBUG=1 and rebuild with the default target:
# Run Teleport as a single-node cluster in development mode:
$ DEBUG=1 ./build/teleport start -d
Keep the server running in this mode, and make your UI changes in /dist directory.
Refer to the webapps README for instructions on how to update the Web UI.
Updating Web UI assets
After you commit a change to the webapps
repo, you need to update the Web UI
assets in the webassets/ git submodule.
Use make update-webassets to update the webassets repo and create a PR for
teleport to update its git submodule.
You will need to have the gh utility installed on your system for the script
to work. You can download it from https://github.com/cli/cli/releases/latest
Updating Documentation
TL;DR version:
make docs
make run-docs
For more details, take a look at docs/README
Managing dependencies
Dependencies are managed using Go modules. Here are instructions for some common tasks:
Add a new dependency
Latest version:
go get github.com/new/dependency
# Update the source to actually use this dependency, then run:
make update-vendor
Specific version:
go get github.com/new/dependency@version
# Update the source to actually use this dependency, then run:
make update-vendor
Set dependency to a specific version
go get github.com/new/dependency@version
make update-vendor
Update dependency to the latest version
go get -u github.com/new/dependency
make update-vendor
Update all dependencies
go get -u all
make update-vendor
Debugging dependencies
Why is a specific package imported: go mod why $pkgname.
Why is a specific module imported: go mod why -m $modname.
Why is a specific version of a module imported: go mod graph | grep $modname.
Why did We Build Teleport?
The Teleport creators used to work together at Rackspace. We noticed that most cloud computing users struggle with setting up and configuring infrastructure security because popular tools, while flexible, are complex to understand and expensive to maintain. Additionally, most organizations use multiple infrastructure form factors such as several cloud providers, multiple cloud accounts, servers in colocation, and even smart devices. Some of those devices run on untrusted networks, behind third party firewalls. This only magnifies complexity and increases operational overhead.
We had a choice, either to start a security consulting business or build a solution that’s dead-easy to use and understand, something that creates an illusion of all of your servers being in the same room as you as if they were magically teleported. And Teleport was born!
More Information
Support and Contributing
We offer a few different options for support. First of all, we try to provide clear and comprehensive documentation. The docs are also in Github, so feel free to create a PR or file an issue if you think improvements can be made. If you still have questions after reviewing our docs, you can also:
- Join Teleport Discussions to ask questions. Our engineers are available there to help you.
- If you want to contribute to Teleport or file a bug report/issue, you can do so by creating an issue here in Github.
- If you are interested in Teleport Enterprise or more responsive support during a POC, we can also create a dedicated Slack channel for you during your POC. You can reach out to us through our website to arrange for a POC.
Is Teleport Secure and Production Ready?
Teleport has completed several security audits from the nationally recognized technology security companies. Some of them have been made public. We are comfortable with the use of Teleport from a security perspective.
You can see the list of companies who use Teleport in production on the Teleport product page.
However, Teleport is still a relatively young product so you may experience usability issues. We are actively supporting Teleport and addressing any issues that are submitted to this repo. Ask questions, send pull requests, report issues and don't be shy! :)
The latest stable Teleport build can be found in Releases
Who Built Teleport?
Teleport was created by Gravitational Inc. We have built Teleport by borrowing from our previous experiences at Rackspace. It has been extracted from Gravity, our Kubernetes distribution optimized for deploying and remotely controlling complex applications into multiple environments at the same time:
- Multiple cloud regions
- Colocation
- Private enterprise clouds located behind firewalls