This will go over how to install and configure Teleport.
Documentation on Teleport can be found here
Install
Teleport documentation on installation can be found here
Create the server
Port 443 should be exposed
Setup DNS Entries
Create two A
DNS records for teleport.example.com
and *.teleport.example.com
both should point to the server teleport will be running on.
Install teleport
Example on Amazon Linux 2
source /etc/os-release
sudo yum-config-manager --add-repo $(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v12/teleport.repo")
sudo yum install teleport
sudo systemctl start teleport
Ansible
---
- name: Install teleport
hosts: all
become: true
vars:
teleport_server_dns_address: teleport.example.com
teleport_server_name: teleport
tasks:
- name: Teleport repository
block:
- name: Teleport repository | Apt key
ansible.builtin.get_url:
url: https://apt.releases.teleport.dev/gpg
dest: /usr/share/keyrings/teleport-archive-keyring.asc
mode: '0644'
- name: Teleport repository | Apt source
ansible.builtin.apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] https://apt.releases.teleport.dev/{{ ansible_facts['lsb']['id'] | lower }} {{ ansible_facts['lsb']['codename'] }} stable/v12"
state: present
- name: Install teleport
ansible.builtin.package:
name: teleport
state: present
- name: Template a file to /etc/teleport.yaml
ansible.builtin.template:
src: templates/teleport.yaml.j2
dest: /etc/teleport.yaml
mode: '0644'
- name: Start and enable teleport
ansible.builtin.service:
name: teleport
state: started
enabled: true
Example teleport.yaml
that will be copied onto the server.
# templates/teleport.yaml.j2
version: v2
teleport:
nodename: {{ teleport_server_name }}
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
format:
output: text
ca_pin: ""
diag_addr: ""
auth_service:
enabled: yes
authentication:
type: local
listen_addr: 0.0.0.0:3025
cluster_name: {{ teleport_server_name }}
proxy_listener_mode: multiplex
ssh_service:
enabled: yes
labels:
service: teleport
commands:
- name: hostname
command: [hostname]
period: 1m0s
proxy_service:
enabled: "yes"
web_listen_addr: 0.0.0.0:443
public_addr: {{ teleport_server_dns_address }}:443
Configure
TLS Encryption
Let’s Encrypt
Port 443 must be public
DOMAIN=teleport.example.com
EMAIL=[email protected]
teleport configure --acme --acme-email=${EMAIL?} --cluster-name=${DOMAIN?} | sudo tee /etc/teleport.yaml > /dev/null
Private Deployments
On your Teleport host, place a valid private key and a certificate chain in /var/lib/teleport/privkey.pem
and /var/lib/teleport/fullchain.pem
respectively.
sudo teleport configure -o file \
--cluster-name=teleport.example.com \
--public-addr=teleport.example.com:443 \
--cert-file=/var/lib/teleport/fullchain.pem \
--key-file=/var/lib/teleport/privkey.pem
sudo systemctl start teleport
Visit to confirm
https://teleport.example.com
Create User
Add a new admin user (teleport-admin) that can login as root, ubuntu, & ec2-user.
sudo tctl users add teleport-admin --roles=editor,access --logins=root,ubuntu,ec2-user,admin
Go to the outputted link to configure the password and TOTP.
Create from Manifest
Documentation on creating roles and users from manifests can be found here.
version: v2
kind: user
metadata:
name: admin
spec:
roles:
- access
- editor
traits:
aws_role_arns: null
db_names: null
db_users: null
kubernetes_groups: null
kubernetes_users: null
windows_logins: null
logins:
- root
- admin
- ec2-user
- ubuntu
tctl create -f admin_user.yaml
TSH
Install Client
brew install teleport
Authentication
tsh login --proxy=teleport.example.com --user=teleport-admin