This will go over how to install and configure Teleport.
Documentation on Teleport can be found here
Install#
Teleport documentation on installation can be found here
Create the server#
Port 443 should be exposed
Setup DNS Entries#
Create two A DNS records for teleport.example.com and *.teleport.example.com both should point to the server teleport will be running on.
Install teleport#
Example on Amazon Linux 2
source /etc/os-release
sudo yum-config-manager --add-repo $(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/stable/v12/teleport.repo")
sudo yum install teleport
sudo systemctl start teleport
Ansible#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
---
- name: Install teleport
hosts: all
become: true
vars:
teleport_server_dns_address: teleport.example.com
teleport_server_name: teleport
tasks:
- name: Teleport repository
block:
- name: Teleport repository | Apt key
ansible.builtin.get_url:
url: https://apt.releases.teleport.dev/gpg
dest: /usr/share/keyrings/teleport-archive-keyring.asc
mode: '0644'
- name: Teleport repository | Apt source
ansible.builtin.apt_repository:
repo: "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] https://apt.releases.teleport.dev/{{ ansible_facts['lsb']['id'] | lower }} {{ ansible_facts['lsb']['codename'] }} stable/v12"
state: present
- name: Install teleport
ansible.builtin.package:
name: teleport
state: present
- name: Template a file to /etc/teleport.yaml
ansible.builtin.template:
src: templates/teleport.yaml.j2
dest: /etc/teleport.yaml
mode: '0644'
- name: Start and enable teleport
ansible.builtin.service:
name: teleport
state: started
enabled: true
|
Example teleport.yaml that will be copied onto the server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
# templates/teleport.yaml.j2
version: v2
teleport:
nodename: {{ teleport_server_name }}
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
format:
output: text
ca_pin: ""
diag_addr: ""
auth_service:
enabled: yes
authentication:
type: local
listen_addr: 0.0.0.0:3025
cluster_name: {{ teleport_server_name }}
proxy_listener_mode: multiplex
ssh_service:
enabled: yes
labels:
service: teleport
commands:
- name: hostname
command: [hostname]
period: 1m0s
proxy_service:
enabled: "yes"
web_listen_addr: 0.0.0.0:443
public_addr: {{ teleport_server_dns_address }}:443
|
TLS Encryption#
Let’s Encrypt#
Port 443 must be public
DOMAIN=teleport.example.com
EMAIL=[email protected]
teleport configure --acme --acme-email=${EMAIL?} --cluster-name=${DOMAIN?} | sudo tee /etc/teleport.yaml > /dev/null
Private Deployments#
On your Teleport host, place a valid private key and a certificate chain in /var/lib/teleport/privkey.pem and /var/lib/teleport/fullchain.pem respectively.
sudo teleport configure -o file \
--cluster-name=teleport.example.com \
--public-addr=teleport.example.com:443 \
--cert-file=/var/lib/teleport/fullchain.pem \
--key-file=/var/lib/teleport/privkey.pem
Configuration documentation
sudo systemctl start teleport
Visit to confirm
https://teleport.example.com
Create User#
Add a new admin user (teleport-admin) that can login as root, ubuntu, & ec2-user.
sudo tctl users add teleport-admin --roles=editor,access --logins=root,ubuntu,ec2-user,admin
Go to the outputted link to configure the password and TOTP.
Create from Manifest#
Documentation on creating roles and users from manifests can be found here.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
version: v2
kind: user
metadata:
name: admin
spec:
roles:
- access
- editor
traits:
aws_role_arns: null
db_names: null
db_users: null
kubernetes_groups: null
kubernetes_users: null
windows_logins: null
logins:
- root
- admin
- ec2-user
- ubuntu
|
tctl create -f admin_user.yaml
TSH#
Install Client#
Authentication#
tsh login --proxy=teleport.example.com --user=teleport-admin