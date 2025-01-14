Machine ID with Server Access
Teleport protects and controls SSH access to servers. Machine ID can be used to grant machines secure, short-lived access to these servers.
In this guide, you will configure
tbot to produce credentials that can be
used to access a Linux server enrolled in Teleport. The guide
will cover access using the Teleport CLI
tsh as well as the OpenSSH client.
Prerequisites
-
A running Teleport cluster version 17.3.3 or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctladmin tool and
tshclient tool.
Visit Installation for instructions on downloading
tctland
tsh.
- If you have not already connected your server to Teleport, follow the getting started guide.
- To check that you can connect to your Teleport cluster, sign in with
tsh login, then verify that you can run
tctlcommands using your current credentials. For example:If you can connect to the cluster and run thetsh login --proxy=teleport.example.com --user=[email protected]tctl status
Cluster teleport.example.com
Version 17.3.3
CA pin sha256:abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678abdc1245efgh5678
tctl statuscommand, you can use your current credentials to run subsequent
tctlcommands from your workstation. If you host your own Teleport cluster, you can also run
tctlcommands on the computer that hosts the Teleport Auth Service for full permissions.
tbotmust already be installed and configured on the machine that will connect to Linux hosts with SSH. For more information, see the deployment guides.
Step 1/3. Configure RBAC
First, Teleport must be configured to allow the credentials produced by the bot
to connect to SSH servers in your infrastructure. In this example, access will
be granted to all SSH nodes for the username
root. This is done by creating a
role that grants the necessary permissions and then assigning this role to a
Bot.
Create a file called
role.yaml with the following content:
kind: role
version: v6
metadata:
name: example-role
spec:
allow:
# Allow login to the Linux user 'root'.
logins: ['root']
# Allow connection to any node. Adjust these labels to match only nodes
# that ansible needs to access.
node_labels:
'*': '*'
Replace
example-role with a descriptive name related to your use case.
You may also wish to adjust this to grant access to a user other than
root
depending on what commands will need to be executed with the credentials.
For production use, you should adjust
node_labels to restrict this access to
only the hosts that the bot will need to access. This is known as the principle
of least privilege and limits the damage that exfiltrated credentials can do.
Use
tctl create -f ./role.yaml to create the role.
You can also create and edit roles using the Web UI. Go to Access -> Roles and click Create New Role or pick an existing role to edit.
Now, use
tctl bots update to add the role to the Bot. Replace
example
with the name of the Bot you created in the deployment guide and
example-role
with the name of the role you just created:
tctl bots update example --add-roles example-role
Step 2/3. Configure the
tbot output
Now,
tbot needs to be configured with an output that will produce an
SSH certificate and OpenSSH configuration. For this we use the
identity output
type.
Outputs must be configured with a destination. In this example, the
directory
destination will be used. This will write these credentials to a specified
directory on disk. Ensure that this directory can be written to by the Linux
user that
tbot runs as, and that it can be read by the Linux user that needs
to use SSH.
Modify your
tbot configuration to add an
identity output:
outputs:
- type: identity
destination:
type: directory
# For this guide, /opt/machine-id is used as the destination directory.
# You may wish to customize this. Multiple outputs cannot share the same
# destination.
path: /opt/machine-id
If operating
tbot as a background service, restart it. If running
tbot in
one-shot mode, it must be executed before you attempt to use the credentials
produced by
tbot to connect to nodes via SSH.
Step 3/3. Using the output credentials
Once
tbot has been run or restarted, you should now see several files under
/opt/machine-id:
identity: this is a bundle of credentials that can be used by
tshto authenticate.
ssh_config: this can be used with OpenSSH and other tools to configure them to use the Teleport Proxy Service with the correct credentials when making connections.
known_hosts: this contains the Teleport SSH host CAs and allows the SSH client to validate a host's certificate.
key-cert.pub: this is an SSH certificate signed by the Teleport SSH user CA.
key: this is the private key needed to use the SSH certificate.
These credentials can be used with Teleport's CLI
tsh or with OpenSSH client
tools like
ssh and
sftp.
Connecting using
tsh
To use
tsh with a
tbot identity output, the path to the
identity file
must be specified using the
-i flag. In addition,
--proxy must be used to
specify the address of the Teleport Proxy Service that should be used when making
connections.
In this example,
tsh is used to connect to a node called
my-host via the
proxy
example.teleport.sh:443 and to execute the command
hostname:
tsh -i /opt/machine-id/identity --proxy example.teleport.sh:443 ssh root@my-host hostnamemy-host
Connecting using OpenSSH
To use OpenSSH with the identity output, the path to the
ssh_config should be
provided to
ssh with the
-F flag.
With the generated
ssh_config you must append the name of the Teleport cluster
to the name of the node - in this example, the command
hostname is
executed as
root on the node
my-host belonging to the cluster
example.teleport.sh.
The
ssh_config for OpenSSH requires that
tsh is installed. This is
necessary as
tsh is used to make the OpenSSH client compatible with
Teleport's port multiplexing.
Connecting using other tools
To integrate with other SSH tools, first determine whether the
ssh_config
is compatible with them. This is the case for many tools such as Ansible and the
guidance provided under "Connecting using OpenSSH" should be sufficient.
If you wish to integrate with Ansible, check out the Ansible-specific guide.
If your tool is not compatible with
ssh_config, it may still be possible to
configure it to use the credentials produced by Machine ID. It must support
SSH client certificates and either ProxyCommand or ProxyJump functionality.
Next steps
- Read the configuration reference to explore all the available configuration options.