Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logo

Home - Teleport Blog - SSH into your laptop using their Github handle - Jan 25, 2017

SSH into your laptop using their Github handle

Instant SSH Everywhere

Wouldn't it be great to allow a fellow developer to quickly and securely SSH into your laptop when you're in the middle of a debugging session even if you are on two separate networks behind NAT?

A few months ago we released a free tool, Teleconsole, we built so we could do exactly that. We are a distributed team, with bare metal servers sitting in our San Francisco office, several AWS and Azure regions and a bunch of customer environments we are sometimes asked to jump into.

Teleconsole makes it really easy to share a session: the inviting party simply types the following into the terminal on any UNIX machine:

$ teleconsole

Which produces something like:

Your Teleconsole ID: 02f8cf345e9f00c1ee498ce410e8a2d10fb8a512
WebUI for this session: https://teleconsole.com/s/02f8cf345e9f00c1ee498ce410e8a2d10fb8a512

Then you can just share the Teleconsole ID to invite someone and they just have to type the following to jump into your session:

$ teleconsole join 02f8cf345e9f00c1ee498ce410e8a2d10fb8a512

This is how we invite each other to any server or laptop. It works behind most firewalls without messing around with VPNs.

Here's a short video showing how it works:

Adding SSH Keys

This is great but it also means that anybody with this session ID can now join your session.

This is not a concern for most situations: guessing the ID is pretty hard with 2^320 combinations. But what if someone attacks the channel you've shared the session ID over or it otherwise falls into the wrong hands?!

Well, now you can pass an SSH public key to teleconsole as an argument via -i flag, and only folks with a corresponding private key will be able to join.

To make it even easer (as suggested by the Teleconsole community) the public key can be specified not only as a file but also as a Github handle! So you can do both:

# use the public key stored in a file:
$ teleconsole -i kontsevoy.pub

# or you can use a public key of "kontsevoy" account on Github:
$ teleconsole -i kontsevoy

Either way, Teleconsole will give you a session ID to share that only kontsevoy can use to join, because he has a private SSH key in his ~/.ssh directory which matches his public key:

$ teleconsole -i kontsevoy

Starting local SSH server on localhost...
Requesting a disposable SSH proxy on teleconsole.com for kontsevoy...
Checking status of the SSH tunnel...

Your Teleconsole ID: 8cbec01f330fb52aedff90e43db1c8bea2455cb6
WebUI is not available for key-restricted sessions

Teleconsole will make an API call to Github, request the public key of kontsevoy and will configure your session to only let kontsevoy in and nobody else. This way even if someone steals the session ID, they will not be able to join because they don’t have the private part of the key, only kontsevoy has that.

Now kontsevoy can join your terminal session using that Teleconsole ID, just as before:

$ teleconsole join 8cbec01f330fb52aedff90e43db1c8bea2455cb6

Teleconsole: joining session...
Matching key: /Users/ekontsevoy/.ssh/id_rsa
taylorwakefield ~:

It's really that easy...

Thanks to Teleconsole users for this neat idea. Hope you enjoy!

Teleport cybersecurity blog posts and tech news

Every other week we'll send a newsletter with the latest cybersecurity news and Teleport updates.

Tech behind Teleconsole

The Teleconsole code is on Github. Feel free to poke around to understand how it works. It appears to be a tiny project, but only because it's standing on the shoulders of giants, namely:

Subscribe to the updates to this blog to receive news related to our SSH tech!

Tags

Teleport Newsletter

Stay up-to-date with the newest Teleport releases by subscribing to our monthly updates.

background

Subscribe to our newsletter

PAM / Teleport