
Locking support was introduced in Teleport v7.1. To fully enforce the locks
at all components, you should update all teleport
binaries in your
deployment.
System administrators can disable a compromised user or node—or prevent access during cluster maintenance—by placing a lock on a session, user or host identity.
Teleport will reject new API requests and terminate active connections to SSH, database, desktop, and Kubernetes sessions matching the lock's target.
A lock can target the following objects or attributes:
- a Teleport user by the user's name
- a Teleport RBAC role by the role's name
- a Teleport trusted device by the device ID
- an MFA device by the device's UUID
- an OS/UNIX login
- a Teleport Node by the Node's UUID (effectively unregistering it from the cluster)
- a Windows desktop by the desktop's name
- an Access Request by UUID
Prerequisites
-
A running Teleport cluster. For details on how to set this up, see one of our Getting Started guides.
-
The
tctl
admin tool andtsh
client tool version >= 12.1.1.tctl versionTeleport v12.1.1 go1.19
tsh versionTeleport v12.1.1 go1.19
See Installation for details.
-
A running Teleport cluster. For details on how to set this up, see our Enterprise Getting Started guide.
-
The Enterprise
tctl
admin tool andtsh
client tool version >= 12.1.1, which you can download by visiting the customer portal.tctl versionTeleport Enterprise v12.1.1 go1.19
tsh versionTeleport v12.1.1 go1.19
Please use the latest version of Teleport Enterprise documentation.
To connect to Teleport, log in to your cluster using tsh
, then use tctl
remotely:
tsh login --proxy=teleport.example.com [email protected]tctl statusCluster teleport.example.com
Version 12.1.1
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
You can run subsequent tctl
commands in this guide on your local machine.
For full privileges, you can also run tctl
commands on your Auth Service host.
To connect to Teleport, log in to your cluster using tsh
, then use tctl
remotely:
tsh login --proxy=myinstance.teleport.sh [email protected]tctl statusCluster myinstance.teleport.sh
Version 12.1.1
CA pin sha256:sha-hash-here
You must run subsequent tctl
commands in this guide on your local machine.
Step 1/2. Create a lock
You can create a new lock with the tctl lock
command. Specify the lock target
with one of the following options:
tctl lock [email protected] --message="Suspicious activity." --ttl=10hCreated a lock with name "dc7cee9d-fe5e-4534-a90d-db770f0234a1".
All users with assigned roles matching the target role will be locked.
tctl lock --role=contractor --message="All contractor access is disabled for 10h." --ttl=10hCreated a lock with name "dc7cee9d-fe5e-4534-a90d-db770f0234a1".
All connections initiated from a device matching the device ID will be locked.
tctl lock --device 9cdfc0ad-64b7-4d9c-9342-50e97f418ba0 --message="Compromised device" --ttl=48hCreated a lock with name "5444970a-39a0-4814-968d-e58b4a8fa686".
All connections initiated with per-session MFA matching the device ID will be locked.
tctl lock --mfa-device=d6c06a18-e147-4232-9dfe-6f83a28d5850 --message="All contractor access is disabled for 10h." --ttl=10hCreated a lock with name "d6c06a18-e147-4232-9dfe-6f83a28d5850".
All connections to the specified node will be locked.
tctl lock --node=363256df-f78a-4d99-803c-bae19da9ede4 --message="The node is under investigation." --ttl=10hCreated a lock with name "dc7cee9d-fe5e-4534-a90d-db770f0234a1".
All connections to the specified Windows Desktop will be locked.
tctl lock --windows-desktop=WIN-FMPFM5UF1SS-teleport-example-com --ttl=10hCreated a lock with name "dc7cee9d-fe5e-4534-a90d-db770f0234a1".
All connections using elevated privileges from the matching Access Request will be locked.
tctl lock --access-request=261e80c5-357b-4c43-9b67-40a6bc4c6e4d --ttl=24hCreated a lock with name "dc7cee9d-fe5e-4534-a90d-db770f0234a1".
If your user is missing a lock permission, you will get an error when creating a lock:
ERROR: access denied to perform action "create" on "lock"
Create a role locksmith
:
kind: role
version: v5
metadata:
name: locksmith
spec:
allow:
rules:
- resources: [lock]
verbs: [list, create, read, update, delete]
tctl create -f locksmith.yamlrole 'locksmith' has been created
Assign the locksmith
role to your Teleport user by running the following
commands, depending on whether you authenticate as a local Teleport user or via
the github
, saml
, or oidc
authentication connectors:
Retrieve your local user's configuration resource:
tctl get users/$(tsh status -f json | jq -r '.active.username') > out.yaml
Edit out.yaml
, adding locksmith
to the list of existing roles:
roles:
- access
- auditor
- editor
+ - locksmith
Apply your changes:
tctl create -f out.yaml
Retrieve your github
configuration resource:
tctl get github/github --with-secrets > github.yaml
Edit github.yaml
, adding locksmith
to the
teams_to_roles
section. The team you will map to this role will depend on how
you have designed your organization's RBAC, but it should be the smallest team
possible within your organization. This team must also include your user.
Here is an example:
teams_to_roles:
- organization: octocats
team: admins
roles:
- access
+ - locksmith
Apply your changes:
tctl create -f github.yaml
Retrieve your saml
configuration resource:
tctl get saml/mysaml --with-secrets > saml.yaml
Edit saml.yaml
, adding locksmith
to the
attributes_to_roles
section. The attribute you will map to this role will
depend on how you have designed your organization's RBAC, but it should be the
smallest group possible within your organization. This group must also include
your user.
Here is an example:
attributes_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - locksmith
Apply your changes:
tctl create -f saml.yaml
Retrieve your oidc
configuration resource:
tctl get oidc/myoidc --with-secrets > oidc.yaml
Edit oidc.yaml
, adding locksmith
to the
claims_to_roles
section. The claim you will map to this role will depend on
how you have designed your organization's RBAC, but it should be the smallest
group possible within your organization. This group must also include your
user.
Here is an example:
claims_to_roles:
- name: "groups"
value: "my-group"
roles:
- access
+ - locksmith
Apply your changes:
tctl create -f saml.yaml
Log out of your Teleport cluster and log in again to assume the new role.
With a lock in force, all established connections involving the lock's target get terminated while any new requests are rejected.
Errors returned and warnings logged in this situation feature a message of the form:
lock targeting User:"[email protected]" is in force: Suspicious activity.
You can tweak the message returned to a user with --message
parameter:
tctl lock [email protected] --message="Please come back tomorrow." --ttl=24h
Note that without specifying --ttl
or --expires
, the created lock remains in
force until explicitly removed with tctl rm
. Refer to tctl lock --help
for
the list of all supported parameters.
Under the hood, tctl lock
creates a resource:
kind: lock
version: v2
metadata:
name: dc7cee9d-fe5e-4534-a90d-db770f0234a1
spec:
target:
user: [email protected]
message: "Suspicious activity."
expires: "2021-08-14T22:27:00Z" # RFC3339 format
The kind: lock
resources can also be created and updated using tctl create
as per usual. See the Admin Guide for more
details.
Step 2/2. List and delete active locks
Use tctl get
command to list all active locks:
tctl get locks
Delete a lock resource:
tctl rm locks/24679348-baff-4987-a2cd-e820ab7f9d2block "24679348-baff-4987-a2cd-e820ab7f9d2b" has been deleted
Deleting a lock will allow new sessions or host connections.
Next steps: Locking modes
If a Teleport Node or Proxy Service cannot properly synchronize its local lock view with the backend, there is a decision to be made about whether to rely on the last known locks. This decision strategy is encoded as one of the two modes:
strict
mode causes all interactions to be terminated when the locks are not guaranteed to be up to datebest_effort
mode keeps relying on the most recent locks
The cluster-wide mode defaults to best_effort
. You can set up the default
locking mode via API or CLI using a cluster_auth_preference
resource or static
configuration file:
Create a YAML file called cap.yaml
or get the existing file using
tctl get cap
.
kind: cluster_auth_preference
metadata:
name: cluster-auth-preference
spec:
locking_mode: best_effort
version: v2
Create a resource:
tctl create -f cap.yamlcluster auth preference has been updated
Edit /etc/teleport.yaml
on the Auth Server:
auth_service:
authentication:
locking_mode: best_effort
Restart the Auth Server for the change to take effect.
It is also possible to configure the locking mode for a particular role:
kind: role
version: v5
metadata:
name: example-role-with-strict-locking
spec:
options:
lock: strict
When none of the roles involved in an interaction specify the mode or when there is no user involved, the mode is taken from the cluster-wide setting.
With multiple potentially conflicting locking modes (the cluster-wide default
and the individual per-role settings) a single occurrence of strict
suffices
for the local lock view to become evaluated strictly.