This will go over how to install and configure Teleport.

Documentation on Teleport can be found here

Install

Teleport documentation on installation can be found here

Create the server

Port 443 should be exposed

Setup DNS Entries

Create two A DNS records for teleport.example.com and *.teleport.example.com both should point to the server teleport will be running on.

Install teleport

Example on Amazon Linux 2

source /etc/os-release
sudo yum-config-manager --add-repo $(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v12/teleport.repo")
sudo yum install teleport
sudo systemctl start teleport

Ansible

---
- name: Install teleport
  hosts: all
  become: true
  vars:
    teleport_server_dns_address: teleport.example.com
    teleport_server_name: teleport
  tasks:
    - name: Teleport repository
      block:
        - name: Teleport repository | Apt key
          ansible.builtin.get_url:
            url: https://apt.releases.teleport.dev/gpg
            dest: /usr/share/keyrings/teleport-archive-keyring.asc
            mode: '0644'

        - name: Teleport repository | Apt source
          ansible.builtin.apt_repository:
            repo: "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] https://apt.releases.teleport.dev/{{ ansible_facts['lsb']['id'] | lower }} {{ ansible_facts['lsb']['codename'] }} stable/v12"
            state: present

    - name: Install teleport
      ansible.builtin.package:
        name: teleport
        state: present

    - name: Template a file to /etc/teleport.yaml
      ansible.builtin.template:
        src: templates/teleport.yaml.j2
        dest: /etc/teleport.yaml
        mode: '0644'

    - name: Start and enable teleport
      ansible.builtin.service:
        name: teleport
        state: started
        enabled: true

Example teleport.yaml that will be copied onto the server.

# templates/teleport.yaml.j2
version: v2
teleport:
  nodename: {{ teleport_server_name }}
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: yes
  authentication:
    type: local
  listen_addr: 0.0.0.0:3025
  cluster_name: {{ teleport_server_name }}
  proxy_listener_mode: multiplex
ssh_service:
  enabled: yes
  labels:
    service: teleport
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:443
  public_addr: {{ teleport_server_dns_address }}:443

Configure

TLS Encryption

Let’s Encrypt

Port 443 must be public

DOMAIN=teleport.example.com
EMAIL=[email protected]
teleport configure --acme --acme-email=${EMAIL?} --cluster-name=${DOMAIN?} | sudo tee /etc/teleport.yaml > /dev/null

Private Deployments

On your Teleport host, place a valid private key and a certificate chain in /var/lib/teleport/privkey.pem and /var/lib/teleport/fullchain.pem respectively.

sudo teleport configure -o file \
    --cluster-name=teleport.example.com \
    --public-addr=teleport.example.com:443 \
    --cert-file=/var/lib/teleport/fullchain.pem \
    --key-file=/var/lib/teleport/privkey.pem

Configuration documentation

sudo systemctl start teleport

Visit to confirm https://teleport.example.com

Create User

Add a new admin user (teleport-admin) that can login as root, ubuntu, & ec2-user.

sudo tctl users add teleport-admin --roles=editor,access --logins=root,ubuntu,ec2-user,admin

Go to the outputted link to configure the password and TOTP.

Create from Manifest

Documentation on creating roles and users from manifests can be found here.

version: v2
kind: user
metadata:
  name: admin
spec:
  roles:
  - access
  - editor
  traits:
    aws_role_arns: null
    db_names: null
    db_users: null
    kubernetes_groups: null
    kubernetes_users: null
    windows_logins: null
    logins:
    - root
    - admin
    - ec2-user
    - ubuntu
tctl create -f admin_user.yaml

TSH

Install Client

brew install teleport

Authentication

tsh login --proxy=teleport.example.com --user=teleport-admin