Teleport

Updated: September 28, 2024

Access Plane for securing access to servers, clusters and applications.

Can also be used to secure tools like ssh and scp. Teleport is 0 trust and is phishing proof. It is important to know the default ports teleport uses:

3023 - Proxy service
3024 - SSH, reverse tunnel
3025 - Auth, Tokens
3080 - HTTPS, establishing trust
teleport user - how Teleport internally refers to you
login - username that Teleport uses to access a resource (ec2-user, ubuntu, root)
Flush Teleport cache (usually if there is a certificate error)
- rm -rf /var/lib/teleport/

Install
Config
Variables
ansible
Templates

Install

It is best to just go to teleport as teleport is not packaged for managers.

Config

Need to set a few environment variables so that tsh login is not a big thing to type out.

System-wide config file: /etc/tsh.yaml
User config file: ~/.tsh/config/config.yaml

aliases:
    "local": "$TSH login --user=megacron --proxy=teleport.macmini:3080"
    "cloud": "$TSH login --proxy=webby.mcwebster.sh:443"

~/.zsh/aliases.zsh

alias tst='tsh local && eval $(tsh env)'

Variables

There are some environment variables that can help shorten some the teleport commands.

tsh login --proxy=tele.example.com --user=megacron --cluster=two

export TELEPORT_PROXY=tele.example.com
export TELEPORT_USER=megacron
export TELEPORT_CLUSTER=two (leafs cluster connected to bastion)

=> tsh login

export TELEPORT_AUTH=local      # useful for local logins when SSO is default

tsh ssh root@elpis              # or
tsh ssh -l root elpis

export TELEPORT_LOGIN=root

=> tsh ssh elpis

eval $(tsh env)

tsh env

export KUBECONFIG=~/teleport-kubeconfig.yaml    # keep contexts separate and tidy
tsh kube login my-eks-cluster
kubectl get nodes
helm list -A

Ansible

teleport works as a SSH jumphost

Templates

tctl nodes add          # get invitation token and join information

/etc/teleport.yaml on Bastion

teleport:
    nodename: <your-fqdn>
    data_dir: /var/lib/teleport
    auth_token: <your-auth-token>
    auth_servers:
    - 127.0.0.1:3025
    log:
        output: stderr
        severity: INFO
    ca_pin: <sha256:ca-pin-hash-goes-here>
auth_service:
    enabled: "yes"
    listen_addr: 0.0.0.0:3025
    public_addr: <your-fqdn>:3025
    tokens:
    - proxy,node:<token>
    license_file: /path/to/license-if-using-teleport-enterprise.pem
ssh_service:
    enabled: "yes"
    labels:
        db_role: master
        db_type: postgres
    commands:
    - name: hostname
        command: [/usr/bin/hostname]
        period: 1m0s
    - name: arch
        command: [/usr/bin/uname, -p]
        period: 1h0m0s
proxy_service:
    enabled: "yes"
    listen_addr: 0.0.0.0:3023
    public_addr: <your-fqdn>
    ssh_public_addr: <your-fqdn>
    web_listen_addr: 0.0.0.0:3080
    tunnel_listen_addr: 0.0.0.0:3024
    public_addr: <fqdn without port number>
    ssh_public_addr: <fqdn without port number>

/etc/teleport.yaml on Nodes

teleport:
    nodename: <node name>
    data_dir: /var/lib/teleport
    auth_token: <your-auth-token>
    auth_servers:
        - <your-fqdn>:3025
    log:
    output: stderr
    severity: INFO
    ca_pin: <your-ca-pin-hash>
auth_service:
    enabled: no
ssh_service:
    enabled: yes
proxy_service:
    enabled: no