FedRAMP Compliance for Infrastructure Access
- Available for:
Teleport provides the foundation to meet FedRAMP requirements for the purposes of accessing infrastructure.
This includes support for the Federal Information Processing Standard FIPS 140-2.
This standard is the US government approved standard for cryptographic modules. This document explains how
Teleport FIPS mode works and how it can help your company to become FedRAMP authorized.
Teleport includes FedRAMP and FIPS 140-2 features to support companies that sell into government agencies.
|AC-02 Account Management
|Audit events are emitted in the Auth Service when a user is created, updated, deleted, locked, or unlocked.
|AC-03 Access Enforcement
|Teleport Enterprise supports robust Role-based Access Controls (RBAC) to:
• Control which SSH nodes a user can or cannot access.
• Control cluster level configuration (session recording, configuration, etc.)
• Control which UNIX logins a user is allowed to use when logging into a server.
|AC-10 Concurrent Session Control
|Teleport administrators can define concurrent session limits using Teleport’s RBAC.
|AC-12 Session Termination
|Admins can terminate active sessions with session locking. Teleport terminates sessions on expiry or inactivity.
|AC-17 Remote Access
|Teleport administrators create users with configurable roles that can be used to allow or deny access to system resources.
|AC-20 Use of External Information Systems
|Teleport supports connecting multiple independent clusters using a feature called Trusted Clusters. When allowing access from one cluster to another, roles are mapped according to a pre-defined relationship of the scope of access.
|AU-03 Audit and Accountability – Content of Audit Records and AU-12 Audit Generation
|Teleport contains an Audit Log that records cluster-wide events such as:
• Failed login attempts.
• Commands that were executed (SSH “exec” commands).
• Ports that were forwarded.
• File transfers that were initiated.
|Teleport audit logging supports both events as well as audit of an entire SSH session. For non-repudiation purposes, a full session can be replayed back and viewed.
|CM-08 Information System Component Inventory
|Teleport maintains a live list of all nodes within a cluster. This node list can be queried by users (who see a subset they have access to) and administrators any time.
|IA-03 Device Identification and Authentication
|Teleport requires valid x509 or SSH certificates issued by a Teleport Certificate Authority (CA) to establish a network connection for device-to-device network connection between Teleport components.
|SC-12 Cryptographic Key Establish and Management
|Teleport initializes cryptographic keys that act as a Certificate Authority (CA) to further issue x509 and SSH certificates. SSH and x509 user certificates that are issued are signed by the CA and are (by default) short-lived. SSH host certificates are also signed by the CA and rotated automatically (a manual force rotation can also be performed).
Teleport Enterprise builds against a FIPS 140-2 compliant library (BoringCrypto) is available.
In addition, when Teleport Enterprise is in FedRAMP/FIPS 140-2 mode, Teleport will only start and use FIPS 140-2 compliant cryptography.
Teleport Enterprise customers can download the custom FIPS package from their
Teleport account. Look for
Linux 64-bit (FedRAMP/FIPS).
You also can follow the Installation instructions for Teleport Enterprise edition to download and install the appropriate FIPS-compliant binaries for your operating environment and package manager or from compressed archive (tarball).
For example, you can download and install from the compressed archive by running the following commands:
curl https://cdn.teleport.dev/teleport-ent-15.1.1-linux-$SYSTEM_ARCH-fips-bin.tar.gz.sha256<checksum> <filename>curl -O https://cdn.teleport.dev/teleport-ent-15.1.1-linux-$SYSTEM_ARCH-fips-bin.tar.gz
Verify that the checksums matchshasum -a 256 teleport-ent-15.1.1-linux-$SYSTEM_ARCH-fips-bin.tar.gztar -xvf teleport-ent-15.1.1-linux-$SYSTEM_ARCH-fips-bin.tar.gzcd teleport-entsudo ./install
After you download and install, all of the Teleport Enterprise binaries are
installed in the
/usr/local/bin directory. You can verify you have FIPS-compliant
binaries installed by running the
teleport version command and verifying that
X:boringcrypto library is listed. For example:
teleport versionTeleport Enterprise 15.1.1 api/14.0.0-gd1e081e 1.21 X:boringcrypto
If your Teleport cluster runs on AWS, the cluster can run in US-East or US-West regions for services with low or moderate impact levels. For services with a high impact level, the cluster must run in a GovCloud region to support FIPS.
Save the following configuration file as
/etc/teleport.yaml on the Teleport Auth
# Pre-defined tokens for adding new nodes to a cluster. Each token specifies
# the role a new node will be allowed to assume. The more secure way to
# add nodes is to use `ttl node add --ttl` command to generate auto-expiring
# We recommend to use tools like `pwgen` to generate sufficiently random
# tokens of 32+ byte length.
# you can also use auth server's IP, i.e. "10.1.1.10:3025"
# enable the auth service:
# this static token is used for other nodes to join this Teleport cluster
# this token is used to establish trust with other Teleport clusters
# To Support FIPS local_auth needs to be turned off and a SSO connector is
# required to log into Teleport.
# local_auth needs to be set to false in FIPS mode.
# If using Proxy Mode, Teleport requires host key checks.
# This setting needs is required to start in Teleport in FIPS mode
# SSH is also enabled on this node:
Save the following configuration file as
/etc/teleport.yaml on the Node
# Specify either the Proxy Service address...
# or the Auth Service address
# Enable the SSH Service and disable the Auth and Proxy Services:
systemd service unit file from the examples directory
on GitHub and save it as
/etc/systemd/system/teleport.service on both servers.
run this on both servers:sudo systemctl daemon-reloadsudo systemctl enable teleport
teleport start --fips, Teleport will start in FIPS mode.
- If the
--fipsflag is selected, Teleport will fail to start unless the binaries are compiled with the appropriate cryptographic module (BoringCrypto).
- If no TLS or SSH cryptographic primitives are specified, Teleport will default to FIPS-compliant cryptographic algorithms.
- If TLS or SSH cryptographic primitives are not FIPS 140-2 compliant, Teleport will fail to start.
- Teleport will always enable at-rest encryption for both DynamoDB and S3.
- If recording proxy mode is selected, validation of host certificates should always happen.
- Running commands like
ps auxcan be useful to note that Teleport is running in FIPS mode.
Set the following values in your cluster-values.yaml configuration:
As of Teleport version 15, versionOverride and extraArgs no longer need to be set in the values file to enable FIPS mode.
In FIPS mode, Teleport will use the following cryptographic algorithms by default.
Default FIPS ciphers for SSH:
Default FIPS Key Exchange Algorithms (KEX) for SSH:
Default FIPS Message Authentication Codes (MAC) for SSH:
Default FIPS Public Key Authentication Algorithms for SSH:
Default FIPS cipher suites for TLS 1.2:
Default FIPS cipher suites for TLS 1.3:
At the close of a connection (close of a *srv.ServerContext), the total data transmitted and received is emitted to the Audit Log.
- TLS protocol version is restricted to TLS 1.2 and TLS 1.3.
- All uses of non-compliant algorithms such as NaCl are removed and replaced with compliant algorithms such as AES-GCM.
- Teleport is compiled with BoringCrypto.
- User, host, and CA certificates (and host keys for recording proxy mode) only use 2048-bit RSA private keys.