Teleport – Easiest and Secure Way of Infrastructure Management

Teleport is a certificate authority and access plan for your infrastructure.

Teleport allows you to:

• Access your Databases, Desktops, Kubernetes clusters, SSH servers, and Online applications with a single solution.
• Create sophisticated access controls with fine-grained audit logs and session recordings for each part of your infrastructure.
• Integrate with single sign-on providers such as GitHub, Okta, and Google Workspace to automatically onboard and offboard users.

Teleport is an excellent solution if we want to manage multiple servers using a centralized approach where we can SSH into the servers and grant role-based access to specific users with minimal privileges, Two-Factor authentications, and single-sign-on. All the sessions are secured and monitored.

Teleport is one such open-source software created by Gravitational and offered in a community edition. It can be set up directly or in a containerized environment as an application. To protect access to all of your SSH servers, you should utilize CA-pinning and common industry standards for protocols.

Setting up Teleport

In this step, we will locally install Teleport in the Ubuntu operating system and add the servers we wish to manage using Teleport. Additionally, we'll implement GitHub-based single-sign-on authentication.

1. Execute the following commands for Ubuntu:

sudo curl https://deb.releases.teleport.dev/teleport-pubkey.asc \
  -o /usr/share/keyrings/teleport-archive-keyring.asc
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] https://deb.releases.teleport.dev/ stable main" \
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null

sudo apt-get update
sudo apt-get install teleport

Follow this link to learn about other OS/Architectures: https://goteleport.com/docs/installation

2. Follow the below commands to add teleport as a host server:

sudo teleport configure -o file \
    --cluster-name=tele.example.com \
    --public-addr=tele.example.com:443 \
    --cert-file=<path to cert file> \
    --key-file=<path to key file>

Next, set up Teleport to give secure access to your web service. Your /etc/teleport.yaml should look something like this.

teleport:
  nodename: <Name of the node>
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
  ca_pin: <Enter CA pin here>
auth_service:
  enabled: "yes"
  authentication:
    type: github
  listen_addr: 0.0.0.0:3025
  cluster_name: <Name of the cluster>
ssh_service:
  enabled: "yes"
  labels:
    env: dev
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:3080
  public_addr: <domain name>:3080
  https_keypairs:
  - key_file: <path to ssl key>
    cert_file: <Path to .crt file>

3. Add servers or nodes to the host server:

We will receive a CA pin and secret token by running ‘tctl nodes add’ in the host server. Now SSH into the node server and repeat step 1 to install teleport.
Create /etc/teleport.yaml in this node server

teleport:
  nodename: <name of the node>
  data_dir: /var/lib/teleport
  auth_token: <Got from host server>
  auth_servers:
    - tele.example.com:3080
  log:
  output: stderr
  severity: INFO
  ca_pin: <got from host server>
auth_service:
  enabled: no
ssh_service:
  enabled: yes
  labels:
    environment: dev
    name: <name of the node>
proxy_service:
  enabled: no

Now run teleport start
Or
systemctl enable teleport --now this command creates a symlink and starts teleport in the background)

4. Add SSO roles and user roles:

Github.yaml

kind: github
version: v3
metadata:
  # connector name that will be used with `tsh --auth=github login`
  name: github
spec:
  client_id: <> # client ID of Github OAuth app   
  client_secret: <> # client secret of Github OAuth app
  # connector display name that will be shown on web UI login screen
  display: Github
  # callback URL that will be called after successful authentication
  redirect_url: https://tele.example.com:3080/v1/webapi/github/callback
  # mapping of org/team memberships onto allowed logins and roles
  teams_to_logins:
    - organization: <> # Github organization name
      team: <> # Github team name within that organization
      # allowed logins for users in this org/team
      logins:
        - sso-user (admin role)
    - organization: <> # Github organization name
      team: <> # Github team name within that organization
      # allowed logins for users in this org/team
      logins:
        - developer (user role)

sso.yaml

kind: role
version: v3
metadata:
  name: sso-users
spec:
  allow:
    logins: [ubuntu]
    node_labels:
      '*': '*'
    rules:
    - resources: [role]
      verbs: [list, create, read, update, delete]
    - resources: [auth_connector]
      verbs: [list, create, read, update, delete]
    - resources: [session]
      verbs: [list, read]
    - resources: [trusted_cluster]
      verbs: [list, create, read, update, delete]
    - resources: [event]
      verbs: [list, read]
    - resources: [user]
      verbs: [list,create,read,update,delete]
    - resources: [token]
      verbs: [list,create,read,update,delete]

dev.yaml

kind: role
version: v3
metadata:
  name: developer
spec:
  allow:
    logins: [<local server username for login>]
    node_labels:
      'name':
        - <name of the node/server where we have to login>

Execute the below commands to add the above roles
tctl create -f github.yaml
tctl create -f sso.yaml
tctl create -f developer.yaml

5. Navigate to https://tele.example.com:3080

A login page will appear; sign in with your GitHub account to view a teleport console with a list of all the nodes available for you to access as a developer.