teleport

package module
v2.5.8+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 30, 2018 License: Apache-2.0 Imports: 4 Imported by: 0

README

Gravitational Teleport

Gravitational Teleport is a modern SSH server for remotely accessing clusters of Linux servers via SSH or HTTPS. It is intended to be used instead of sshd for organizations who need:

  • SSH audit with session recording/replay.
  • Easily manage SSH trust between teams, organizations and data centers.
  • SSH into behind-firewall clusters without any open ports.
  • Role-based access control (RBAC) for SSH protocol.

In addition to its hallmark features, Teleport is interesting for smaller teams because it facilitates easy adoption of the best SSH practices like:

  • No need to distribute keys: Teleport uses certificate-based access with automatic certificate expiration time.
  • 2nd factor authentication (2FA) for SSH.
  • Collaboratively troubleshoot issues through session sharing.
  • Single sign-on (SSO) for SSH and your organization identities via OpenID Connect or SAML with endpoints like Okta or Active Directory.
  • Cluster introspection: every SSH node and its status can be queried via CLI and Web UI.

Teleport is built on top of the high-quality Golang SSH implementation and it is fully compatible with OpenSSH and can be used with sshd servers and ssh clients.

Project Links Description
Teleport Website The official website of the project
Documentation Admin guide, user manual and more
Demo Video 3-minute video overview of the UI.
Teleconsole The free service to "invite" SSH clients behind NAT, built on top of Teleport
Blog Our blog where we publish Teleport news

Installing and Running

Download the latest binary release, unpack the .tar.gz and run sudo ./install. This will copy Teleport binaries into /usr/local/bin.

Then you can run Teleport as a single-node cluster:

$ sudo teleport start 

In a production environment Teleport must run as root. But to play, just do chown $USER /var/lib/teleport and run it under $USER, in this case you will not be able to login as someone else though.

Building Teleport

Teleport source code consists of the actual Teleport daemon binary written in Golang, and also it has a web UI (located in /web directory) written in Javascript. The WebUI is not changed often and we keep it checked into Git under /dist, so you only need to build Golang:

Make sure you have Golang v1.8.3 or newer, then run:

# get the source & build:
$ mkdir -p $GOPATH/src/github.com/gravitational
$ cd $GOPATH/src/github.com/gravitational
$ git clone https://github.com/gravitational/teleport.git
$ cd teleport
$ make full

# create the default data directory before starting:
$ sudo mkdir -p /var/lib/teleport
$ sudo chown $USER /var/lib/teleport

If the build succeds the binaries will be placed in $GOPATH/src/github.com/gravitational/teleport/build

NOTE: The Go compiler is somewhat sensitive to amount of memory: you will need at least 1GB of virtual memory to compile Teleport. 512MB instance without swap will not work.

Rebuilding Web UI

To enable speedy iterations on the Web UI, teleport can load the web UI assets from the source directory. To enable this behavior, set the environment variable DEBUG=1 and rebuild with the default target:

$ make

# Run Teleport as a single-node cluster in development mode: 
$ DEBUG=1 ./build/teleport start -d

Keep the server running in this mode, and make your UI changes in /dist directory. Refer to web/README.md for instructions on how to update the Web UI.

Why did We Build Teleport?

Mature tech companies with significant infrastructure footprints tend to implement most of these patterns internally. Teleport allows smaller companies without significant in-house SSH expertise to easily adopt them, as well. Teleport comes with an accessible Web UI and a very permissive Apache 2.0 license to facilitate adoption and use.

Being a complete standalone tool, Teleport can be used as a software library enabling trust management in complex multi-cluster, multi-region scenarios across many teams within multiple organizations.

More Information

Contributing

The best way to contribute is to create issues or pull requests right here on Github. You can also reach the Gravitational team through their website

Is Teleport Secure and Production Ready?

Teleport has completed several security audits from the nationally recognized technology security companies. Some of them have been made public. We are comfortable with the use of Teleport from a security perspective.

However, Teleport is still a relatively young product so you may experience usability issues. We are actively supporting Teleport and addressing any issues that are submitted to this repo. Ask questions, send pull requests, report issues and don't be shy! :)

The latest stable Teleport build can be found in Releases

Known Issues

  • Teleport does not officially support IPv6 yet.

Who Built Teleport?

Teleport was created by Gravitational Inc. We have built Teleport by borrowing from our previous experiences at Rackspace. It has been extracted from Telekube, our Kubernetes distribution optimized for deploying and remotely controlling complex applications into multiple environments at the same time:

  • Multiple cloud regions
  • Colocation
  • Private enterprise clouds located behind firewalls

Documentation

Overview

Gravitational Teleport is a modern SSH server for remotely accessing clusters of Linux servers via SSH or HTTPS. It is intended to be used instead of sshd.

Teleport enables teams to easily adopt the best SSH practices like:

  • No need to distribute keys: Teleport uses certificate-based access with automatic expiration time.
  • Enforcement of 2nd factor authentication.
  • Cluster introspection: every Teleport node becomes a part of a cluster and is visible on the Web UI.
  • Record and replay SSH sessions for knowledge sharing and auditing purposes.
  • Collaboratively troubleshoot issues through session sharing.
  • Connect to clusters located behind firewalls without direct Internet access via SSH bastions.
  • Ability to integrate SSH credentials with your organization identities via OAuth (Google Apps, Github).
  • Keep the full audit log of all SSH sessions within a cluster.

Teleport web site:

https://gravitational.com/teleport/

Teleport on Github:

https://github.com/gravitational/teleport

Index

Constants

View Source
const (
	// SSHAuthSock is the environment variable pointing to the
	// Unix socket the SSH agent is running on.
	SSHAuthSock = "SSH_AUTH_SOCK"
	// SSHAgentPID is the environment variable pointing to the agent
	// process ID
	SSHAgentPID = "SSH_AGENT_PID"

	// SSHTeleportUser is the current Teleport user that is logged in.
	SSHTeleportUser = "SSH_TELEPORT_USER"

	// SSHSessionWebproxyAddr is the address the web proxy.
	SSHSessionWebproxyAddr = "SSH_SESSION_WEBPROXY_ADDR"

	// SSHTeleportClusterName is the name of the cluster this node belongs to.
	SSHTeleportClusterName = "SSH_TELEPORT_CLUSTER_NAME"

	// SSHTeleportHostUUID is the UUID of the host.
	SSHTeleportHostUUID = "SSH_TELEPORT_HOST_UUID"

	// SSHSessionID is the UUID of the current session.
	SSHSessionID = "SSH_SESSION_ID"
)
View Source
const (
	// HTTPSProxy is an environment variable pointing to a HTTPS proxy.
	HTTPSProxy = "HTTPS_PROXY"

	// HTTPProxy is an environment variable pointing to a HTTP proxy.
	HTTPProxy = "HTTP_PROXY"
)
View Source
const (
	// TOTPValidityPeriod is the number of seconds a TOTP token is valid.
	TOTPValidityPeriod uint = 30

	// TOTPSkew adds that many periods before and after to the validity window.
	TOTPSkew uint = 1
)
View Source
const (
	// ComponentAuthority is a TLS and an SSH certificate authority
	ComponentAuthority = "authority"

	// ComponentProcess is a main control process
	ComponentProcess = "process"

	// ComponentReverseTunnelServer is reverse tunnel server
	// that together with agent establish a bi-directional SSH revers tunnel
	// to bypass firewall restrictions
	ComponentReverseTunnelServer = "proxy:server"

	// ComponentReverseTunnel is reverse tunnel agent
	// that together with server establish a bi-directional SSH revers tunnel
	// to bypass firewall restrictions
	ComponentReverseTunnelAgent = "proxy:agent"

	// ComponentAuth is the cluster CA node (auth server API)
	ComponentAuth = "auth"

	// ComponentNode is SSH node (SSH server serving requests)
	ComponentNode = "node"

	// ComponentNode is SSH node (SSH server serving requests)
	ComponentForwardingNode = "node:forward"

	// ComponentProxy is SSH proxy (SSH server forwarding connections)
	ComponentProxy = "proxy"

	// ComponentDiagnostic is a diagnostic service
	ComponentDiagnostic = "diagnostic"

	// ComponentClient is a client
	ComponentClient = "client"

	// ComponentTunClient is a tunnel client
	ComponentTunClient = "client:tunnel"

	// ComponentCachingClient is a caching auth client
	ComponentCachingClient = "client:cache"

	// ComponentSubsystemProxy is the proxy subsystem.
	ComponentSubsystemProxy = "subsystem:proxy"

	// ComponentLocalTerm is a terminal on a regular SSH node.
	ComponentLocalTerm = "term:local"

	// ComponentRemoteTerm is a terminal on a forwarding SSH node.
	ComponentRemoteTerm = "term:remote"

	// ComponentRemoteSubsystem is subsystem on a forwarding SSH node.
	ComponentRemoteSubsystem = "subsystem:remote"

	// ComponentAuditLog is audit log component
	ComponentAuditLog = "auditlog"

	// ComponentKeyAgent is an agent that has loaded the sessions keys and
	// certificates for a user connected to a proxy.
	ComponentKeyAgent = "keyagent"

	// ComponentKeyStore is all sessions keys and certificates a user has on disk
	// for all proxies.
	ComponentKeyStore = "keystore"

	// ComponentConnectProxy is the HTTP CONNECT proxy used to tunnel connection.
	ComponentConnectProxy = "http:proxy"

	// ComponentKeyGen is the public/private keypair generator.
	ComponentKeyGen = "keygen"

	// ComponentSession is an active session.
	ComponentSession = "session"

	// DebugEnvVar tells tests to use verbose debug output
	DebugEnvVar = "DEBUG"

	// VerboseLogEnvVar forces all logs to be verbose (down to DEBUG level)
	VerboseLogsEnvVar = "TELEPORT_DEBUG"

	// DefaultTerminalWidth defines the default width of a server-side allocated
	// pseudo TTY
	DefaultTerminalWidth = 80

	// DefaultTerminalHeight defines the default height of a server-side allocated
	// pseudo TTY
	DefaultTerminalHeight = 25

	// SafeTerminalType is the fall-back TTY type to fall back to (when $TERM
	// is not defined)
	SafeTerminalType = "xterm"

	// ConnectorOIDC means connector type OIDC
	ConnectorOIDC = "oidc"

	// ConnectorSAML means connector type SAML
	ConnectorSAML = "saml"

	// ConnectorGithub means connector type Github
	ConnectorGithub = "github"

	// DataDirParameterName is the name of the data dir configuration parameter passed
	// to all backends during initialization
	DataDirParameterName = "data_dir"

	// SSH request type to keep the connection alive. A client and a server keep
	// pining each other with it:
	KeepAliveReqType = "keepalive@openssh.com"

	// RecordingProxyReqType is the name of a global request which returns if
	// the proxy is recording sessions or not.
	RecordingProxyReqType = "recording-proxy@teleport.com"

	// OTP means One-time Password Algorithm for Two-Factor Authentication.
	OTP = "otp"

	// TOTP means Time-based One-time Password Algorithm. for Two-Factor Authentication.
	TOTP = "totp"

	// HOTP means HMAC-based One-time Password Algorithm.for Two-Factor Authentication.
	HOTP = "hotp"

	// U2F means Universal 2nd Factor.for Two-Factor Authentication.
	U2F = "u2f"

	// OFF means no second factor.for Two-Factor Authentication.
	OFF = "off"

	// Local means authentication will happen locally within the Teleport cluster.
	Local = "local"

	// OIDC means authentication will happen remotely using an OIDC connector.
	OIDC = ConnectorOIDC

	// SAML means authentication will happen remotely using a SAML connector.
	SAML = ConnectorSAML

	// Github means authentication will happen remotely using a Github connector.
	Github = ConnectorGithub

	// JSON means JSON serialization format
	JSON = "json"

	// LinuxAdminGID is the ID of the standard adm group on linux
	LinuxAdminGID = 4

	// LinuxOS is the name of the linux OS
	LinuxOS = "linux"

	// DirMaskSharedGroup is the mask for a directory accessible
	// by the owner and group
	DirMaskSharedGroup = 0770

	// FileMaskOwnerOnly is the file mask that allows read write access
	// to owers only
	FileMaskOwnerOnly = 0600

	// On means mode is on
	On = "on"

	// Off means mode is off
	Off = "off"

	// Syslog is a mode for syslog logging
	Syslog = "syslog"
)
View Source
const (
	// AuthorizedKeys are public keys that check against User CAs.
	AuthorizedKeys = "authorized_keys"
	// KnownHosts are public keys that check against Host CAs.
	KnownHosts = "known_hosts"
)
View Source
const (
	// CertExtensionPermitAgentForwarding allows agent forwarding for certificate
	CertExtensionPermitAgentForwarding = "permit-agent-forwarding"
	// CertExtensionPermitPTY allows user to request PTY
	CertExtensionPermitPTY = "permit-pty"
	// CertExtensionPermitPortForwarding allows user to request port forwarding
	CertExtensionPermitPortForwarding = "permit-port-forwarding"
	// CertExtensionTeleportRoles is used to propagate teleport roles
	CertExtensionTeleportRoles = "teleport-roles"
)
View Source
const (
	// NetIQ is an identity provider.
	NetIQ = "netiq"
	// ADFS is Microsoft Active Directory Federation Services
	ADFS = "adfs"
)
View Source
const (
	// RemoteCommandSuccess is returned when a command has successfully executed.
	RemoteCommandSuccess = 0
	// RemoteCommandFailure is returned when a command has failed to execute and
	// we don't have another status code for it.
	RemoteCommandFailure = 255
)
View Source
const (
	// CertificateFormatOldSSH is used to make Teleport interoperate with older
	// versions of OpenSSH.
	CertificateFormatOldSSH = "oldssh"

	// CertificateFormatStandard is used for normal Teleport operation without any
	// compatibility modes.
	CertificateFormatStandard = "standard"

	// CertificateFormatUnspecified is used to check if the format was specified
	// or not.
	CertificateFormatUnspecified = ""
)
View Source
const (
	// TraitInternalPrefix is the role variable prefix that indicates it's for
	// local accounts.
	TraitInternalPrefix = "internal"

	// TraitLogins is the name the role variable used to store
	// allowed logins.
	TraitLogins = "logins"

	// TraitInternalRoleVariable is the role variable used to store allowed
	// logins for local accounts.
	TraitInternalRoleVariable = "{{internal.logins}}"
)
View Source
const (
	// RemoteClusterStatusOffline indicates that cluster is considered as
	// offline, since it has missed a series of heartbeats
	RemoteClusterStatusOffline = "offline"
	// RemoteClusterStatusOnline indicates that cluster is sending heartbeats
	// at expected interval
	RemoteClusterStatusOnline = "online"
)
View Source
const APIDomain = "teleport.cluster.local"

APIDomain is a default domain name for Auth server API

View Source
const AdminRoleName = "admin"

DefaultRole is the name of the default admin role for all local users if another role is not explicitly assigned (Enterprise only).

View Source
const DefaultImplicitRole = "default-implicit-role"

DefaultImplicitRole is implicit role that gets added to all service.RoleSet objects.

View Source
const ForeverTTL time.Duration = 0

ForeverTTL means that object TTL will not expire unless deleted

View Source
const MaxEnvironmentFileLines = 1000

MaxEnvironmentFileLines is the maximum number of lines in a environment file.

View Source
const Root = "root"

Root is *nix system administrator account name.

View Source
const SCP = "scp"

SCP is Secure Copy.

View Source
const (
	// SharedDirMode is a mode for a directory shared with group
	SharedDirMode = 0750
)
View Source
const (
	Version = "2.5.8"
)
View Source
const WebAPIVersion = "v1"

WebAPIVersion is a current webapi version

Variables

View Source
var Gitref string

Gitref variable is automatically set to the output of git-describe during the build process

Functions

func Component added in v1.0.0

func Component(components ...string) string

Component generates "component:subcomponent1:subcomponent2" strings used in debugging

Types

type Role added in v1.0.0

type Role string

Role identifies the role of an SSH connection. Unlike "user roles" introduced as part of RBAC in Teleport 1.4+ these are built-in roles used for different Teleport components when connecting to each other.

const (
	// RoleAuth is for teleport auth server (authority, authentication and authorization)
	RoleAuth Role = "Auth"
	// RoleWeb is for web access users
	RoleWeb Role = "Web"
	// RoleNode is a role for SSH node in the cluster
	RoleNode Role = "Node"
	// RoleProxy is a role for SSH proxy in the cluster
	RoleProxy Role = "Proxy"
	// RoleAdmin is admin role
	RoleAdmin Role = "Admin"
	// RoleProvisionToken is a role for nodes authenticated using provisioning tokens
	RoleProvisionToken Role = "ProvisionToken"
	// RoleTrustedCluster is a role needed for tokens used to add trusted clusters.
	RoleTrustedCluster Role = "Trusted_cluster"
	// RoleSignup is for first time signing up users
	RoleSignup Role = "Signup"
	// RoleNop is used for actions that already using external authz mechanisms
	// e.g. tokens or passwords
	RoleNop Role = "Nop"
	// RoleRemoteProxy is a role for remote SSH proxy in the cluster
	RoleRemoteProxy Role = "RemoteProxy"
)
const LegacyClusterTokenType Role = "Trustedcluster"

this constant exists for backwards compatibility reasons, needed to upgrade to 2.3

func (*Role) Check added in v1.0.0

func (r *Role) Check() error

Check checks if this a a valid role value, returns nil if it's ok, false otherwise

func (*Role) Set added in v1.0.0

func (r *Role) Set(v string) error

Set sets the value of the role from string, used to integrate with CLI tools

func (*Role) String added in v1.0.0

func (r *Role) String() string

String returns debug-friendly representation of this role

type Roles added in v1.0.0

type Roles []Role

func NewRoles

func NewRoles(in []string) (Roles, error)

NewRoles return a list of roles from slice of strings

func ParseRoles added in v1.0.0

func ParseRoles(str string) (roles Roles, err error)

ParseRoles takes a comma-separated list of roles and returns a slice of roles, or an error if parsing failed

func (Roles) Check added in v1.0.0

func (roles Roles) Check() (err error)

Check returns an error if the role set is incorrect (contains unknown roles)

func (Roles) Equals added in v1.0.0

func (roles Roles) Equals(other Roles) bool

Equals compares two sets of roles

func (Roles) Include added in v1.0.0

func (roles Roles) Include(role Role) bool

Includes returns 'true' if a given list of roles includes a given role

func (Roles) String added in v1.0.0

func (roles Roles) String() string

String returns comma separated string with roles

func (Roles) StringSlice

func (roles Roles) StringSlice() []string

Slice returns roles as string slice

Directories

Path Synopsis
examples
integration package tests Teleport on a high level creating clusters of servers in memory, connecting them together and connecting to them
integration package tests Teleport on a high level creating clusters of servers in memory, connecting them together and connecting to them
lib
auth
Package auth implements certificate signing authority and access control server Authority server is composed of several parts: * Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper Package auth implements certificate signing authority and access control server Authority server is composed of several parts: * Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
Package auth implements certificate signing authority and access control server Authority server is composed of several parts: * Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper Package auth implements certificate signing authority and access control server Authority server is composed of several parts: * Authority server itself that implements signing and acl logic * HTTP server wrapper for authority server * HTTP client wrapper
backend/boltbk
Package boltbk implements BoltDB backed backend for standalone instances This is a legacy backend which only exists for backward compatibility purposes Production Teleport clusters should be using either etcd or DynamoDB backends.
Package boltbk implements BoltDB backed backend for standalone instances This is a legacy backend which only exists for backward compatibility purposes Production Teleport clusters should be using either etcd or DynamoDB backends.
backend/dir
Package 'dir' implements the "directory backend".
Package 'dir' implements the "directory backend".
backend/dynamo
Package dynamodbDynamoDBBackend implements DynamoDB storage backend for Teleport auth service, similar to etcd backend.
Package dynamodbDynamoDBBackend implements DynamoDB storage backend for Teleport auth service, similar to etcd backend.
backend/etcdbk
Package etcdbk implements Etcd powered backend
Package etcdbk implements Etcd powered backend
backend/test
Package test contains a backend acceptance test suite that is backend implementation independent each backend will use the suite to test itself
Package test contains a backend acceptance test suite that is backend implementation independent each backend will use the suite to test itself
config
Package 'config' provides facilities for configuring Teleport daemons including - parsing YAML configuration - parsing CLI flags
Package 'config' provides facilities for configuring Teleport daemons including - parsing YAML configuration - parsing CLI flags
defaults
Package defaults contains default constants set in various parts of teleport codebase
Package defaults contains default constants set in various parts of teleport codebase
events
Package events implements the audit log interface events.IAuditLog using filesystem backend.
Package events implements the audit log interface events.IAuditLog using filesystem backend.
httplib
Package httplib implements common utility functions for writing classic HTTP handlers Package httplib implements common utility functions for writing classic HTTP handlers
Package httplib implements common utility functions for writing classic HTTP handlers Package httplib implements common utility functions for writing classic HTTP handlers
limiter
Package limiter implements connection and rate limiters for teleport
Package limiter implements connection and rate limiters for teleport
modules
package modules allows external packages override certain behavioral aspects of teleport
package modules allows external packages override certain behavioral aspects of teleport
multiplexer
package multiplexer implements SSH and TLS multiplexing on the same listener mux, _ := multiplexer.New(Config{Listener: listener}) mux.SSH() // returns listener getting SSH connections mux.TLS() // returns listener getting TLS connections
package multiplexer implements SSH and TLS multiplexing on the same listener mux, _ := multiplexer.New(Config{Listener: listener}) mux.SSH() // returns listener getting SSH connections mux.TLS() // returns listener getting TLS connections
reversetunnel
Package reversetunnel sets up persistent reverse tunnel between remote site and teleport proxy, when site agents dial to teleport proxy's socket and teleport proxy can connect to any server through this tunnel.
Package reversetunnel sets up persistent reverse tunnel between remote site and teleport proxy, when site agents dial to teleport proxy's socket and teleport proxy can connect to any server through this tunnel.
service
Package service implements teleport running service, takes care of initialization, cleanup and shutdown procedures Copyright 2015 Gravitational, Inc.
Package service implements teleport running service, takes care of initialization, cleanup and shutdown procedures Copyright 2015 Gravitational, Inc.
services
Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.
Package services implements statefule services provided by teleport, like certificate authority management, user and web sessions, events and logs.
services/local
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
Package local implements services interfaces using abstract key value backend provided by lib/backend, what makes it possible for teleport to run using boltdb or etcd
session
Package session is used for bookeeping of SSH interactive sessions that happen in realtime across the teleport cluster
Package session is used for bookeeping of SSH interactive sessions that happen in realtime across the teleport cluster
srv
srv/regular
Package regular implements SSH server that supports multiplexing tunneling, SSH connections proxying and only supports Key based auth
Package regular implements SSH server that supports multiplexing tunneling, SSH connections proxying and only supports Key based auth
sshca
Package sshca specifies interfaces for SSH certificate authorities
Package sshca specifies interfaces for SSH certificate authorities
sshutils/scp
Package scp handles file uploads and downloads via scp command
Package scp handles file uploads and downloads via scp command
tlsca
Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients
Package tlsca provides internal TLS certificate authority used for mutual TLS authentication with the auth server and internal teleport components and external clients
web
Package web implements web proxy handler that provides web interface to view and connect to teleport nodes
Package web implements web proxy handler that provides web interface to view and connect to teleport nodes
tool
tsh

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL