README
¶
Teleport
Teleport is a SSH infrastructure for clusters of Linux servers. Teleport extends traditional SSH with the following capabilities:
- Provides coordinated and secure access to multiple Linux clusters by multiple teams with different permissions.
- Enforces cluster-specific security policies.
- Includes session record/replay and keeps audit logs.
It also contains a few nice conveniences like built-in command multiplexing, web-based
administration and more. Teleport is a standalone executable.
Teleport uses Etcd in HA mode or Boltdb in standalone mode.
Deploying
Every commit to master branch triggers Jenkins to deploy to https://teleport.gravitational.io
You can also deploy via Slack by sending a /deploy message like this:
/deploy teleport staging master
Status
Teleport is not ready to be used in production yet
We are currently fixing outstanding security issues, and working on hardening.
Design document
Take a look at Teleport design document
Developer Docs
Take a look at Developer API
Overview
Teleport system consists of several independent parts that can be set up in various combinations:
Teleport Auth
Auth server acts as Authentication and Authorization server, SSH host and user certificate authority, stores audit logs and access records and is the only stateful component in the system.
Note Read more about SSH authorities in this intro article Note Auth server does not itself provide any support for interactive sessions and remote command execution
Teleport SSH
Teleport SSH server is a simple stateless server written in Go that only supports SSH user certificates as authentication method, generates structured events and supports interactive collaborative sessions.
Teleport Proxy
Teleport Proxy is a stateless SSH proxy that implements 2-factor web authentication and proxies traffic to the remote SSH nodes.
Installation
Teleport is open source, however it and should be cloned from the repository.
Prerequisites
go >= 1.4.2etcd >= v2.0.10(in case of HA mode)
Clone the latest master
mkdir -p $(GOPATH)/src/github/gravitational
cd $(GOPATH)/src/github/gravitational
git clone git@github.com:gravitational/teleport.git
Compile
make install
This should install teleport and tctl binaries, check that the binaries are installed.
ls ${GOPATH}/bin/tctl ${GOPATH}/bin/teleport
Quickstart
# create the directory where auth server will keep it's local state
mkdir -p /var/lib/teleport
# make sure it is not owned by root
chown <<USER>>:<<GROUP>> /var/lib/teleport
# start teleport in embedded mode
make run-embedded
Note: run-embedded executes teleport with configuration file in examples/embedded.yaml check it out for more details
Web access via proxy
Teleport allows to access the cluster via web portal. The web portal is guarded by 2-factor authentication. Here's how to log in:
- Create a user entry for yourself:
tctl user set-pass --user=<user> --pass=<pass>
Important: Username and password are not enough to log in into teleport, for second factor it uses HOTP tokens. Tool generated QR code for you too, and placed it in the current working directory. Follow next steps to set up your phone to use QR key:
- Set up Google Authenticator app on your phone (available for free for Android and iPhone)
Check out QR.png file that was written to the local directory and scan QR code. Follow next step to login:
- Open a browser: http://localhost:33007/web/login and enter username, password and QR code
Note: If you failed to log in for the first time, try to refresh the token. Teleport will try to sync up your phone and token on the next attempt.
SSH access via proxy
OpenSSH
To use OpenSSH client with Teleport you need to run Teleport ssh agent on your local machine.
- First, start the agent
tctl agent start --agent-addr="unix:///tmp/teleport.agent.sock"
- Then your need to login your agent using your credentials
tctl agent login --proxy-addr=PROXY-ADDR --ttl=10h
where PROXY-ADDR - address of the remote Teleport proxy, ttl - time you want to be logged in (max 30 Hours). tctl will ask you your username, password and 2nd token. 3. Modify default agent address
SSH_AUTH_SOCK=/tmp/teleport.agent.sock; export SSH_AUTH_SOCK;
- To enable connecting via proxy on the OpenSSH client add ProxyCommand to ~/.ssh/config file. For example:
Host node1.gravitational.io
ProxyCommand ssh -p {proxyport} %r@proxy.gravitational.io -s proxy:%h:%p
- Then you can connect to your ssh nodes as usual:
ssh -p {nodeport} user@node1.gravitational.io
Ansible
By default Ansible uses OpenSSH client. To make Ansible work with Teleport you need:
- config your OpenSSH client
- enable scp mode in the Ansible config file(default /etc/ansible/ansible.cfg):
scp_if_ssh = True
Documentation
¶
Overview ¶
Copyright 2015 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IsAlredyExists ¶
func IsCompareFailed ¶
func IsNotFound ¶
Types ¶
type AlreadyAcquiredError ¶
type AlreadyAcquiredError struct {
Message string
}
func (*AlreadyAcquiredError) Error ¶
func (e *AlreadyAcquiredError) Error() string
type AlreadyExistsError ¶
type AlreadyExistsError struct {
Message string
}
func (*AlreadyExistsError) Error ¶
func (n *AlreadyExistsError) Error() string
type BadParameterError ¶
func (*BadParameterError) Error ¶
func (m *BadParameterError) Error() string
type CompareFailedError ¶
type CompareFailedError struct {
Message string
}
func (*CompareFailedError) Error ¶
func (e *CompareFailedError) Error() string
type MissingParameterError ¶
type MissingParameterError struct {
Param string
}
func (*MissingParameterError) Error ¶
func (m *MissingParameterError) Error() string
type NotFoundError ¶
type NotFoundError struct {
Message string
}
func (*NotFoundError) Error ¶
func (e *NotFoundError) Error() string
type ReadonlyError ¶
type ReadonlyError struct {
Message string
}
func (*ReadonlyError) Error ¶
func (e *ReadonlyError) Error() string
Source Files
Directories