The proxy is a stateless service which performs three main functions in a Teleport cluster:
It serves as an authentication gateway. It asks for credentials from connecting clients and forwards them to the Auth server via Auth API.
It looks up the IP address for a requested Node and then proxies a connection from client to Node.
It serves a Web UI which is used by cluster users to sign up and configure their accounts, explore Nodes in a cluster, log into remote Nodes, join existing SSH sessions or replay recorded sessions.
In this mode, Teleport Proxy implements WSS - secure web sockets - to proxy a client SSH connection:
When using the web UI, the Teleport Proxy terminates SSL traffic and re-encodes data for the SSH client connection.
Getting Client Certificates
Teleport Proxy implements a special method to let clients get short-lived authentication certificates signed by the Certificate Authority (CA) provided by the Auth Service.
tsh
client generates an OpenSSH keypair. It forwards
the generated public key, username, password and second factor token to the
proxy.tctl
.~/.tsh/keys/example.com
. The certificate is also added to the local SSH agent if
one is running.Using Client Certificates
Once the client has obtained a certificate, it can use it to authenticate with
any Node in the cluster. Users can use the certificate using a standard OpenSSH
client ssh
or using tsh
:
A client connects to the Proxy Server and provides target Node's host and port location. There are three lookup mechanisms a proxy uses to find the Node's IP address:
nodename
.If the Node is located, the Proxy establishes an SSH tunnel to the requested Node and starts forwarding traffic from Node to client.
The client uses the established SSH tunnel from Proxy to Node to open a new SSH connection. The client authenticates with the target Node using its client certificate.
Teleport's proxy command makes it compatible with SSH jump hosts implemented using OpenSSH's ProxyCommand
. It also supports OpenSSH's ProxyJump/ssh -J implementation as of Teleport 4.1. See User Manual
In this mode, the proxy terminates (decrypts) the SSH connection using the certificate supplied by the client via SSH agent forwarding and then establishes its own SSH connection to the final destination server, effectively becoming an authorized "man in the middle". This allows the proxy server to forward SSH session data to the auth server to be recorded, as shown below:
The recording proxy mode, although less secure, was added to allow Teleport
users to enable session recording for OpenSSH's servers running sshd
, which is
helpful when gradually transitioning large server fleets to Teleport.
We consider the "recording proxy mode" to be less secure for two reasons:
However, there are advantages of proxy-based session recording too. When sessions are recorded at the Nodes, a root user can add iptables rules to prevent sessions logs from reaching the Auth Service. With sessions recorded at the proxy, users with root privileges on Nodes have no way of disabling the audit.
See the admin guide to learn how to turn on the recording proxy mode. Note that the recording mode is configured on the Auth Service.