77e8b63470
Added package cgroup to orchestrate cgroups. Only support for cgroup2 was added to utilize because cgroup2 cgroups have unique IDs that can be used correlated with BPF events. Added bpf package that contains three BPF programs: execsnoop, opensnoop, and tcpconnect. The bpf package starts and stops these programs as well correlating their output with Teleport sessions and emitting them to the audit log. Added support for Teleport to re-exec itself before launching a shell. This allows Teleport to start a child process, capture it's PID, place the PID in a cgroup, and then continue to process. Once the process is continued it can be tracked by it's cgroup ID. Reduced the total number of connections to a host so Teleport does not quickly exhaust all file descriptors. Exhausting all file descriptors happens very quickly when disk events are emitted to the audit log which are emitted at a very high rate. Added tarballs for exec sessions. Updated session.start and session.end events with additional metadata. Updated the format of session tarballs to include enhanced events. Added file configuration for enhanced session recording. Added code to startup enhanced session recording and pass package to SSH nodes. |
||
|---|---|---|
| assets | ||
| build.assets | ||
| docker | ||
| docs | ||
| e@821f9d64eb | ||
| examples | ||
| fixtures | ||
| integration | ||
| lib | ||
| modules/pam_teleport | ||
| tool | ||
| vagrant | ||
| vendor | ||
| web | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmodules | ||
| CHANGELOG.md | ||
| CODE_OF_CONDUCT.md | ||
| constants.go | ||
| CONTRIBUTING.md | ||
| doc.go | ||
| Gopkg.lock | ||
| Gopkg.toml | ||
| LICENSE | ||
| Makefile | ||
| metrics.go | ||
| README.md | ||
| roles.go | ||
| version.go | ||
| version.mk | ||
Gravitational Teleport
Gravitational Teleport is a modern security gateway for remotely accessing:
- Clusters of Linux servers via SSH or SSH-over-HTTPS in a browser.
- Kubernetes clusters.
It is intended to be used instead or together with sshd for organizations who
need:
- SSH audit with session recording/replay.
- Kubernetes API Access with audit and
kubectl execrecording/replay. - Easily manage trust between teams, organizations and data centers.
- Have SSH or Kubernetes access to behind-firewall clusters without any open ports.
- Role-based access control (RBAC) for SSH protocol.
- Unified RBAC for SSH and Kubernetes.
In addition to its hallmark features, Teleport is interesting for smaller teams because it facilitates easy adoption of the best infrastructure security practices like:
- No need to distribute keys: Teleport uses certificate-based access with automatic certificate expiration time.
- 2nd factor authentication (2FA) for SSH and Kubernetes.
- Collaboratively troubleshoot issues through session sharing.
- Single sign-on (SSO) for SSH/Kubernetes and your organization identities via Github Auth, OpenID Connect or SAML with endpoints like Okta or Active Directory.
- Cluster introspection: every SSH node and its status can be queried via CLI and Web UI.
Teleport is built on top of the high-quality Golang SSH
implementation and it is fully compatible with OpenSSH and can be used with
sshd servers and ssh clients.
| Project Links | Description |
|---|---|
| Teleport Website | The official website of the project |
| Documentation | Admin guide, user manual and more |
| Demo Video | 3-minute video overview of the UI. |
| Teleconsole | The free service to "invite" SSH clients behind NAT, built on top of Teleport |
| Blog | Our blog where we publish Teleport news |
| Security Updates | Teleport Community Edition Security Updates |
| Community Forum | Teleport Community Forum |
Installing and Running
Download the latest binary release,
unpack the .tar.gz and run sudo ./install. This will copy Teleport binaries into
/usr/local/bin.
Then you can run Teleport as a single-node cluster:
$ sudo teleport start
In a production environment Teleport must run as root. But to play, just do chown $USER /var/lib/teleport
and run it under $USER, in this case you will not be able to login as someone else though.
If you wish to deploy Teleport inside a Docker container:
# This command will pull the Teleport container image for version 4.0.4
# Replace 4.0.4 with the version you need:
$ docker pull quay.io/gravitational/teleport:4.0.4
View latest tags on Quay.io | gravitational/teleport
Building Teleport
Teleport source code consists of the actual Teleport daemon binary written in Golang, and also
it has a web UI (located in /web directory) written in Javascript. The WebUI is not changed often
and we keep it checked into Git under /dist, so you only need to build Golang:
Make sure you have Golang v1.12 or newer, then run:
# get the source & build:
$ mkdir -p $GOPATH/src/github.com/gravitational
$ cd $GOPATH/src/github.com/gravitational
$ git clone https://github.com/gravitational/teleport.git
$ cd teleport
$ make full
# create the default data directory before starting:
$ sudo mkdir -p /var/lib/teleport
$ sudo chown $USER /var/lib/teleport
If the build succeeds the binaries will be placed in
$GOPATH/src/github.com/gravitational/teleport/build
NOTE: The Go compiler is somewhat sensitive to amount of memory: you will need at least 1GB of virtual memory to compile Teleport. 512MB instance without swap will not work.
NOTE: This will build the latest version of Teleport, regardless of whether it is stable. If you want to build the latest stable release, git checkout to that tag (e.g. git checkout v2.5.7) before running make full.
Rebuilding Web UI
To enable speedy iterations on the Web UI, teleport can load the web UI assets
from the source directory. To enable this behavior, set the environment variable
DEBUG=1 and rebuild with the default target:
$ make
# Run Teleport as a single-node cluster in development mode:
$ DEBUG=1 ./build/teleport start -d
Keep the server running in this mode, and make your UI changes in /dist directory.
Refer to web/README.md for instructions on how to update the Web UI.
Updating Documentation
TL;DR version:
make docs
make run-docs
For more details, take a look at docs/README
Why did We Build Teleport?
Mature tech companies with significant infrastructure footprints tend to implement most of these patterns internally. Teleport allows smaller companies without significant in-house SSH expertise to easily adopt them, as well. Teleport comes with an accessible Web UI and a very permissive Apache 2.0 license to facilitate adoption and use.
Being a complete standalone tool, Teleport can be used as a software library enabling trust management in complex multi-cluster, multi-region scenarios across many teams within multiple organizations.
More Information
Support and Contributing
We offer a few different options for support. First of all, we try to provide clear and comprehensive documentation. The docs are also in Github, so feel free to create a PR or file an issue if you think improvements can be made. If you still have questions after reviewing our docs, you can also:
- Join the Teleport Community to ask questions. Our engineers are available there to help you.
- If you want to contribute to Teleport or file a bug report/issue, you can do so by creating an issue here in Github.
- If you are interested in Teleport Enterprise or more responsive support during a POC, we can also create a dedicated Slack channel for you during your POC. You can reach out to us through our website to arrange for a POC.
Is Teleport Secure and Production Ready?
Teleport has completed several security audits from the nationally recognized technology security companies. Some of them have been made public. We are comfortable with the use of Teleport from a security perspective.
You can see the list of companies who use Teleport in production on the Teleport product page.
However, Teleport is still a relatively young product so you may experience usability issues. We are actively supporting Teleport and addressing any issues that are submitted to this repo. Ask questions, send pull requests, report issues and don't be shy! :)
The latest stable Teleport build can be found in Releases
Who Built Teleport?
Teleport was created by Gravitational Inc. We have built Teleport by borrowing from our previous experiences at Rackspace. It has been extracted from Gravity, our Kubernetes distribution optimized for deploying and remotely controlling complex applications into multiple environments at the same time:
- Multiple cloud regions
- Colocation
- Private enterprise clouds located behind firewalls