Fork me on GitHub
Teleport

Setup U2F for Teleport Cloud

This guide will walk you through setting up second factor authentication for local accounts.

Step 1/3. Install client libraries

Install client libraries:

curl -O https://get.gravitational.com/teleport-ent-v7.1.3-linux-amd64-bin.tar.gz

verify signature

echo "$(curl https://get.gravitational.com/teleport-ent-v7.1.3-linux-amd64-bin.tar.gz.sha256)" | sha256sum --check
tar -xzf teleport-ent-v7.1.3-linux-amd64-bin.tar.gz
cd teleport-ent
sudo ./install

Login with a teleport user with editor privileges:

tsh logs you in and receives short-lived certificates

tsh login --proxy=myinstance.teleport.sh [email protected]

try out the connection

tctl get nodes

Step 2/3. Configure auth

Create a YAML file cap.yaml:

Replace example.teleport.sh with the name of your Teleport cloud cluster:

kind: cluster_auth_preference
metadata:
  name: cluster-auth-preference
spec:
  # on will support both TOTP and U2F. You can set it just to 'u2f' to enforce U2F only second factor.
  second_factor: 'on'
  type: local
  u2f:
    app_id: 'https://example.teleport.sh'
    facets:
    - 'https://example.teleport.sh:443'
    - 'https://example.teleport.sh'
    - 'example.teleport.sh'
version: v2

Create a resource:

tctl create -f cap.yaml

Step 3/3. Add U2F device

Try out the U2F integration using CLI:

tsh mfa ls

MFA device name Type Added at Last used

---------------- ---- ------------------------------- -------------------------------

android OTP OTP Tue 08 Dec 2020 01:29:42 PM PST Tue 15 Dec 2020 01:29:42 PM PST

yubikey U2F Wed 09 Dec 2020 02:00:13 PM PST Wed 16 Dec 2020 02:00:13 PM PST

Add U2F device:

tsh mfa add

Adding a new MFA device.

Choose device type (1 - OTP, 2 - U2F): 2

Enter device name: solokey

Tap any *registered* security key or enter an OTP code: <tap>

Tap your *new* security key... <tap>

MFA device "solokey" added.

You can now login with Web UI or CLI using U2F.

Have a suggestion or can’t find something?
IMPROVE THE DOCS