mirror of https://github.com/gravitational/teleport synced 2024-10-22 18:23:25 +00:00

Find a file

Alexey Kontsevoy f6fd3fcdb6 Merge branch 'master' of github.com:gravitational/teleport		2016-03-17 15:28:52 -04:00
assets	Minor code refactoring and commenting...	2016-02-29 19:00:45 -08:00
build.assets	run jenkins tests as a non-root user	2016-03-16 23:35:58 -07:00
deploy	Updated the provisioning script with new set of RSA keys	2016-02-29 16:53:14 -08:00
docs	Refactored: renamed fqdn to domainName, renaimed CAservice names	2015-11-20 13:15:48 -08:00
fixtures	add TLS client authentication for ETCD	2016-03-16 18:30:00 -07:00
Godeps	vendor deps	2016-03-16 18:30:51 -07:00
lib	add TLS client authentication for ETCD	2016-03-16 18:30:00 -07:00
tool	add TLS client authentication for ETCD	2016-03-16 18:30:00 -07:00
vendor	vendor deps	2016-03-16 18:30:51 -07:00
web	(web) improvements to user icons and to inputSearch component.	2016-03-17 15:28:42 -04:00
.gitignore	Clode / structure cleanup	2016-03-15 20:45:04 -07:00
constants.go	Minor code cleanup	2016-03-15 19:57:02 -07:00
errors.go	Introduce auth server and proxy heartbeats	2016-03-13 18:15:09 -07:00
LICENSE
Makefile	add TLS client authentication for ETCD	2016-03-16 18:30:00 -07:00
README.md	Update README.md	2016-03-10 10:22:24 -08:00
roles.go	Introduce auth server and proxy heartbeats	2016-03-13 18:15:09 -07:00

README.md

Teleport

Teleport is a SSH infrastructure for clusters of Linux servers. Teleport extends traditional SSH with the following capabilities:

Provides coordinated and secure access to multiple Linux clusters by multiple teams with different permissions.
Enforces cluster-specific security policies.
Includes session record/replay and keeps audit logs.

It also contains a few nice conveniences like built-in command multiplexing, web-based administration and more. Teleport is a standalone executable.

Teleport uses Etcd in HA mode or Boltdb in standalone mode.

Deploying

Every commit to master branch triggers Jenkins to deploy to https://teleport.gravitational.io You can also deploy via Slack by sending a /deploy message like this:

/deploy teleport staging master

Status

Teleport is not ready to be used in production yet

We are currently fixing outstanding security issues, and working on hardening.

Design document

Take a look at Teleport design document

Developer Docs

Take a look at Developer API

Overview

Teleport system consists of several independent parts that can be set up in various combinations:

Teleport Auth

Auth server acts as Authentication and Authorization server, SSH host and user certificate authority, stores audit logs and access records and is the only stateful component in the system.

Note Read more about SSH authorities in this intro article Note Auth server does not itself provide any support for interactive sessions and remote command execution

Teleport SSH

Teleport SSH server is a simple stateless server written in Go that only supports SSH user certificates as authentication method, generates structured events and supports interactive collaborative sessions.

Teleport Proxy

Teleport Proxy is a stateless SSH proxy that implements 2-factor web authentication and proxies traffic to the remote SSH nodes.

Installation

Teleport is open source, however it and should be cloned from the repository.

Prerequisites

go >= 1.4.2
etcd >= v2.0.10 (in case of HA mode)

Clone the latest master

mkdir -p $(GOPATH)/src/github/gravitational
cd $(GOPATH)/src/github/gravitational
git clone git@github.com:gravitational/teleport.git

Compile

make install

This should install teleport and tctl binaries, check that the binaries are installed.

ls ${GOPATH}/bin/tctl ${GOPATH}/bin/teleport

Quickstart

# create the directory where auth server will keep it's local state
mkdir -p /var/lib/teleport
# make sure it is not owned by root
chown <<USER>>:<<GROUP>> /var/lib/teleport

# start teleport in embedded mode
teleport start

Note: run-embedded executes teleport with configuration file in examples/embedded.yaml check it out for more details

Web access via proxy

Teleport allows to access the cluster via web portal. The web portal is guarded by 2-factor authentication. Here's how to log in:

Create a user entry:

tctl users add alex root,centos

And follow instructions.

OpenSSH client -> Teleport Proxy

To use OpenSSH client with Teleport you need to run Teleport ssh agent on your local machine.

tsh --proxy=<addr> login

This command will retrieve and store user certificates signed by the proper certificate authority

Start the agent

tsh --proxy=<addr> agent

It will output something like:

SSH_AUTH_SOCK=/tmp/316b647c-a81c-4d7c-a916-1c80f38ce0f6.socket; export SSH_AUTH_SOCK;

You can simply copy and paste this into terminal to tell your SSH client to use agent

Tell OpenSSH to use proxy as a jump host using config

Host *
     ForwardAgent no

# tells open ssh to use proxy.example.com as a jumphost when logging
# to any server matching patter *.node.example.com
# beware of recurison here (when proxy name matches your pattern)
Host *.node.example.com
  ProxyCommand ssh -p 3023 %r@proxy.example.com -s proxy:%h:%p

Tell OpenSSH client to trust hosts managed by teleport

tctl authorities --type=host export >> ~/.ssh/authorized_keys

Then you can connect to your ssh nodes as usual:

  ssh -p 22 user@a.node.example.com

Teleport Proxy -> OpenSSH server

Export user certificate authorities used by Teleport to a file

tctl authorities --type=user export > /etc/ssh/user-ca.pub

Tell OpenSSH to trust exporeted authorities

In your /etc/ssh/sshd_config

# this instructs OpenSSH to trust certificates signed by teleport's user authorities
TrustedUserCAKeys /etc/ssh/user-ca.pub

Ansible

By default Ansible uses OpenSSH client. To make Ansible work with Teleport you need:

config your OpenSSH client
enable scp mode in the Ansible config file(default /etc/ansible/ansible.cfg):

scp_if_ssh = True