Certificate-based authentication is the most secure form of authentication, but historically, it has been the most complicated to manage. You have to run a Certificate Authority (CA) and distribute server and client certificates which impedes its adoption at scale. One of our design goals for Teleport has been to securely automate CA and certificate issuance, making certificate-based authentication easy.
Teleport supports all the necessary certificate management operations to enable certificate-based authentication. Teleport operates two internal Certificate Authorities (CA) as a function of the Teleport Auth Service. One is used to sign User certificates, and the other signs Node certificates. Each certificate is used to prove identity, cluster membership, and manage access.
By default, all user certificates have an expiration date, also known as the time to live (TTL). This TTL can be configured by a Teleport administrator. However, the node certificates issued by the Teleport Auth Service are valid indefinitely by default. Teleport supports certificate rotation, i.e. the process of invalidating all previously-issued certificates for nodes and users regardless of their TTL.
Authentication Flow for SSH
What is Login?
When we talk about "logging into" a Teleport cluster, this means receiving a freshly issued certificate from a Certificate Authority (CA), such as from the Teleport Auth Service.
Teleport comes with its own
ssh client -
tsh. When a user types
ssh host command,
Teleport will check if a user has a valid SSH certificate in the
~/.tsh directory or loaded into an
ssh-agent. If no certificate is found, it will trigger the login sequence.
A user can force the login sequence by executing:
$ tsh login --proxy=teleport.example.com
This command takes the Teleport Proxy Service’s address as an argument.
The diagram below illustrates the login sequence. Teleport authentication uses SAML 2.0/OIDC Connect/OAuth2 family of protocols, depending on the identity store. In this example the identity store is GitHub:
- The client requests a certificate via
tsh login. This command launches a web browser on a client’s machine and directs it to a Teleport Proxy Service.
- The Teleport Proxy Service redirects the user to GitHub’s login page, using GitHub’s 2FA.
- Upon successful GitHub authentication, the browser is redirected back to the proxy, which forwards user identity to the Teleport Auth Service.
- The Teleport Auth Service issues a certificate with a configured time to live (TTL) and it is returned to the client.
Upon successful authentication, an SSH certificate will be stored in the user's
~/.tsh/keys directory and loaded into an
ssh-agent, if there is one running. If Kubernetes support is enabled, an x509 certificate for Kubernetes will be stored there as well, and
~/.kube/config will be updated with it.
The Teleport client stores the Teleport Proxy Service URL in
~/.tsh/profile. The user does not need to use the
--proxy flag again. They can edit the profile file when connecting to multiple Teleport clusters.
Authentication for Services
What is tctl?
tctl stands for Teleport Control and it is another command-line utility
Teleport administrators use to manage a Teleport cluster.
SAML, OAuth2, and web browsers are great for interactive authentication for humans.
If authentication is needed for legacy automation similar to Jenkins, which relies on SSH credentials, a Teleport administrator can issue a certificate via:
$ tctl auth sign -o jenkins.cert
It is recommended that such certificates be stored in secure storage.
Connecting to Nodes
When a user is authenticated, they can establish SSH and Kubernetes connections to a cluster:
# using SSH $ tsh ssh hostname # using K8s $ kubectl get pods
The Teleport client is called
tsh, but you can rename it
ssh, and this enables full command-line compatibility with OpenSSH client.
The diagram below shows how a connection is established:
- The client dials to the Teleport Proxy Service specified in
~/.tsh/profilefile and relays to it the hostname of the destination hostname.
- Teleport Proxy Service does not perform any decryption or authentication*, it simply performs a name resolution for the given hostname and tries to relay the SSH connection to it. The user connection is shown in green.
- The destination host validates the user's certificate and begins logging user actions to the Teleport Auth Service using its audit connection. The connection between a host and the Teleport Auth Service is also authenticated via the host's certificate and encrypted. The audit connection is shown in red.
- If the destination host is a remote host, such as an IoT node (self-driving vehicle or a smart device) the connection is established using the reverse tunnel that remote nodes always maintain.
* By default, connections are encrypted end to end, but Teleport also supports the recording proxy legacy mode if the audit is required for legacy
sshd daemons. In this mode, the proxy decrypts the connection and sends the audit information to the Teleport Auth Service.
Unlike traditional OpenSSH-based workflows, Teleport allows users to log out. “Logging out” means erasing previously obtained certificates from a client machine.
$ tsh logout
Easy to get started
Teleport is easy to deploy and use. We believe that simplicity and good user experience are key to first-class security.
- The tsh client allows users to login to retrieve short-lived certificates.
- The teleport agent can be installed on any server, database, application and Kubernetes cluster with a single command.
# on a client$ tsh login --proxy=example.com
# on a server$ apt install teleport
# in a Kubernetes cluster$ helm install