Teleport Server Access

Overview

Server Access often involves managing your resources, configuring new clusters, and issuing commands through a CLI or programmatically to an API. This video covers:

• Prerequisites & Linux Host Setup
• Linux host setup
• Installing Teleport
• Teleport configure
• Adding a node to the cluster
• Creating Initial tele-admin user
• Accessing Teleport using the terminal
• tsh ssh setup

Learn more.

Teleport Server Access - Intro and Getting Started

Ben: Hi, I'm Ben at Teleport, and today I'll be walking you through Teleport Server Access. Teleport Server Access is a tool for consolidating SSH access across all environments, decreasing configuration complexity, and supporting the industry best practices, while we have an overview over here of things we do such as second factor. But today, I'll be walking you through our Getting Started guide. For this Getting Started guide, we're going to set up a Teleport cluster. And we're going to connect a node to it, connect a SSH into it. And we're going to review all of the nodes connected using Teleport features. So for this setup, we're going to set up using the Bastion pattern, and we're only going to connect one host. So we'll have Teleport, which will be our bastion host, connecting to a protected resource. We're going to also configure the firewall, and we're going to be connecting using the web UI and the CLI. So to get started, we're going to need two Linux hosts. I'm going to be using Debian. I'm going to use a domain name. And when you get a second factor app, I have Google Authenticator. And also, I have Teleport installed locally on my machine. For this setup, I'm on Linux, but you can follow it for Windows, and Windows only supports tsh.exe. And Mac, you can use Teleport and tctl.

Prerequisites & Linux host setup

Ben: So to get started, let's create an instance. So I'm going to create a new instance, I'm just using the smallest instance here. Since this is a demo environment, you can run Teleport on a Raspberry Pi. When you think about scaling at larger sizes, it will depend upon how many nodes you have connected and how many users are connecting to it. I'm just adding it to my default VPC. Storage — I'm adding 8 GB. You'd want to change your storage size based upon how many users connecting, and how many [inaudible] events will be created. And I skip tags. The next step, we're going to configure the security group. This would depend upon your cloud provider, what this is called. But in the world of AWS, your security group is sort of the initial firewall accessing those hosts. So a few here, you can see we already have Port 22, which is the device SSH port, we're going to also add a rule for https, and that's 443. We're going to add Port 3024, which is a proxy SSH used for the reverse associations. And we're going to add Port 3023, which is the proxy service. And this is the port that SSH clients locally will connect to. And let's give this name, teleport-demo-ports. Oh, and it's going to make this available from anywhere for their setup. Going to launch it. I already have a key here. And we'll check the status. So let's see what's next on our list. So in the documentation here, we see an A record. But since I'm using the IPv4 DNS, and this is going to be a CNAME. And I'm going to set this to be teleport-demo-ssh.

Linux host setup

Ben: Now, the thing I need to do here, I'm going to add a wild card. This won't be used in this setup, since we're just focusing on server access. But if I want to add applications later, this would be used. Oh, select CNAME. Okay, let's get back. So we need to create the second resource. Let's open a new tab and create a new instance. And this is going to be the node that we're going to connect Teleport. So let's launch this instance. In my case, we're just going to use AWS Micro. Security group, we're just choosing Port 22 since we're going to just SSH into it, and we're going to launch it. Okay, so next up we're going to install Teleport on each instance. I'm going to install the Debian package on my Debian host. Let's see if it's completed. Yep. Looks like we can connect to it. So I'm using the instructions available from AWS this will change based upon your cloud provider. Okay, so let's add the Debian repo. So we're going to first get the public key. We're going to add the repo to run the apt-get update. And then last, we're going to install Teleport.

Installing Teleport

Ben: So now we have Teleport version 6.2. So let's do the same to the other host. So we are up and running. So this is the second host that we've added. Just add a note.

Ben: We just update, and you can see that we have different instructions based upon a sort of RHEL operating system which AWS Linux is. Wait for this to finish updating. Okay. And now we install [inaudible] Teleport. Okay, we're going to install it. And you can see, we have Teleport 6.2 installed. So let's go on to next steps.

Teleport configure

Ben: So next up, we're going to configure Teleport on the bastion host, this host here. And we're going to first acquire the X.509 certificate, which is going to secure the secure endpoint. And here we have the commands that we need. We're going to run Teleport configure. Then we just put this into a scratchpad. Okay, so we're going to change this to my email address. And domain name that we picked is teleport-demo-ssh.asteroid.earth. Okay, so we have the config written — we can now start the service [inaudible]. And you can see that we have initial config here. Over there, everything kind of ready to get started.

Ben: So let's go back here. And our next instructions to get us started. Get started, us using teleport start. And you can see it's running the initial setup and creating certificates. So we're going to hit this endpoint, check that it's running.

Ben: I’m typing https — okay, so you can see now we have signed in to Teleport on a URL that we've set up. But we need to set up the user. And I think we're going to do that afterwards. For the user, we're going to create other node. So here we're going to actually stop this service.

Adding a node to the cluster

Ben: I'm going to start it using systemd. So you can see it's loaded, but it's inactive. So let's enable it. And then systemd will just run Teleport in the background. You can sort of easily reload configs, and if there's a restart it would automatically start on its host. So we come back here. You see, still running. Okay, next up, we're going to add a node to our cluster. Let's copy this command and maybe throw it in the terminal. So you can see here we're using this new tool called tctl, which is a management tool for adding users, moving users adding tokens. We’re adding --type=node, if you have a different — you can also combine these. Let's say you can have a node and application, Kubernetes, in one token type. And we're going to write this out to a token file. So you can see now I have this token file. And this is the token we're going to use.

Ben: We're using this token file as a best practice, and so as to minimize the direct sharing of tokens, even when they're dynamically generated. And so then you can use this in the secure secret — extra and have it in a sort of a secure place that when you start Teleport on the next host, this token isn't shared more widely. So let's go to my other host, and we're going to connect it. So my second host, we're going to take these instructions, when it's going to change a few things here. So using Teleport start again, we're going to start at only in the node format, which is used for SSH connecting to the token file that we've created. And this Auth Server, we're going to change this. This is going to be our proxy. And it's also important to keep the Port 443. Oh, another thing we need changed is the AWS host. Just going to change the location of Teleport. Failed to join using the token. So this is likely the token file is in the wrong places. Because I don't have my other hosts connected to Teleport. Let's see what's next on the list.

Creating Initial tele-admin user

Ben: Next thing we need to create the local user. And then to do this, we're doing this on the Teleport bastion host. And we're using tctl again. We're going add a user called tele-admin, editor, and access. And then these logins are principals. So his root, ubuntu, and ec2 user. And this link is available for an hour.

Ben: You can manually create this user. And then I'm using my telephone as a second factor. Okay, and now I've created the account. See, there's two hosts here. This one is host that we're currently on, which is the bastion, and then this is the one that we've connected. You see tunnel because it went directly over the proxy address. And you can see that we've added editor here and access because according to the Principle of Least Privilege — the third one would be auditor, which are inbuilt polls that we have. And this is some good role templates that you can get started with.

Accessing Teleport using the terminal

Ben: So next up, we're going to create a new terminal window. And then for this one, I'm on my local host, which is pop-os. So for this, we're going to login. And we're just going to change this to the URL of my proxy and use a tele-admin. And he's going to ask me for the password I just set up. And then the second factor token. And you can see now I'm logged in. I have the two roles. These are my principals. And by default, I have a certificate for 12 hours. What's that means is I can go about my day. I can SSH into as many hosts as possible. But after 12 hours, I have to log in again to get new certificates. And this is sort of a fundamental shift — this difference between using public private keys and SSH certificates. So let's use tsh ls. And you can see that we have the host which was also available in the web UI.

Ben: And now we can SSH into the bastion host. So there's this one here. And now I'm on this same host here but accessing it using tsh ssh. htop installed. Let's see what I have. What you can do here is you can access using tsh ssh. You can traverse the Linux file system. And you can do anything else you do normally with tsh, and then you can also use ssh, OpenSSH with -J, use the proxy URL, and then the same thing to access.

tsh ssh setup

Ben: So step four, we're going to use tsh and the resource catalog to introspect the cluster. So on the bastion host, you can see that we have the UID and the address and the same information. This information is also available on Teleport itself. One thing would be different is that UID. It's only available to the administrator. This can be important because you may have host that have exactly the same name. But Teleport keeps an internal registry of hosts.

Ben: And another cool thing you can do is you can query by labels, so exit. And then you can see this is the only host [inaudible] example on but if you're using prod and staging this is a quick way of listing all hosts. And I think what you can do is you can execute on all nodes to simplify repeated operations. And so what I'm doing here is — there's no output because in my standard directory, there's no file, but I've logged in as root. And then all nodes which have the label and example, I'm running ls. So this brings me to the end.

Conclusion

Ben: Just to conclude, you can see that we left Port 22 open. Now this is the time that you would think about closing Port 22, and then only using Teleport for access. To summarize, you've to connected using teleport using tsh ls to manage and introspect resources. So now you can shut down and sort of completed this exercise. This is a good foundation and introduction to setting up Teleport. If you have any questions, you can join us in our Slack room or you can comment on our GitHub discussion. Thanks for watching.

Key links:

• Secretless SSH Access
• Getting Started guide