Setting Up Teleport Community Edition: A Comprehensive Guide

December 12, 2024
teleport security user management roles MFA

Setting Up Teleport Community Edition: A Comprehensive Guide

This guide provides a step-by-step walkthrough for setting up Teleport Community Edition tailored to your specific requirements. We’ll cover installation, configuration, role definitions, user management, security setups, and best practices to ensure a secure and well-organized Teleport deployment.


Table of Contents

  1. Introduction
  2. Prerequisites
  3. Installation
  4. Configuring Teleport
  5. Role Definitions
  6. Node Labeling
  7. User Management
  8. Enforcing MFA
  9. Session Recording
  10. Monitoring and Auditing
  11. Security Best Practices
  12. Additional Suggestions
  13. Conclusion

Introduction

Teleport is an open-source tool that provides secure access to servers, applications, and Kubernetes clusters. It consolidates access controls, authentication, authorization, and auditing into a single platform. This guide will help you set up Teleport Community Edition on your infrastructure at teleport.webiste.com, configure roles and permissions, enforce security measures, and manage users effectively.


Prerequisites

  • Servers: A Teleport server (auth and proxy) hosted at teleport.webiste.com and multiple nodes (servers) in different environments (staging, production, testing).
  • Operating System: Linux-based systems (Ubuntu, CentOS, etc.).
  • Users: System users (root, webiste, ubuntu, viewer) managed via Puppet.
  • Domain: A valid domain (teleport.webiste.com) with DNS records pointing to your Teleport server.
  • Ports: Access to necessary ports (3023, 3024, 3025, 3080).
  • SSL Certificate: Ability to obtain Let’s Encrypt certificates.

Installation

1. Install Teleport on the Auth and Proxy Server

# Import GPG keys and add Teleport's repository
curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -
echo "deb https://deb.releases.teleport.dev/ stable main" | sudo tee /etc/apt/sources.list.d/teleport.list

# Update package list and install Teleport
sudo apt-get update
sudo apt-get install teleport

2. Install Teleport on Nodes

Repeat the installation steps on each node (server) that you want to manage with Teleport.


Configuring Teleport

Teleport Configuration File (/etc/teleport.yaml)

Below is an example of a Teleport configuration file tailored to your requirements:

# /etc/teleport.yaml
teleport:
  nodename: teleport.webiste.com
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
  auth_token: "your-secure-auth-token"
  connection_limits:
    max_connections: 15000
    max_users: 250
  storage:
    type: dir
    path: /var/lib/teleport/backend

auth_service:
  enabled: yes
  cluster_name: "webiste-cluster"
  listen_addr: 0.0.0.0:3025
  authentication:
    type: local
    second_factor: on
    webauthn:
      rp_id: teleport.webiste.com

proxy_service:
  enabled: yes
  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:3080
  tunnel_listen_addr: 0.0.0.0:3024
  public_addr:
    - teleport.webiste.com:3080
    - teleport.webiste.com:3023
  https_key_file: /etc/letsencrypt/live/teleport.webiste.com/privkey.pem
  https_cert_file: /etc/letsencrypt/live/teleport.webiste.com/fullchain.pem
  acme:
    enabled: yes
    email: admin@webiste.com

ssh_service:
  enabled: yes
  labels:
    environment: production
  commands:
    - name: hostname
      command: [hostname]
      period: 1h

Setting Up Let’s Encrypt

Teleport can automatically obtain and renew Let’s Encrypt certificates.

  • Ensure port 80 is open on your proxy server for initial certificate issuance.
  • Configure the acme section in proxy_service as shown above.

Restricting Service Ports to Trusted IP Ranges

Update your firewall settings to restrict access:

# Example using UFW (Uncomplicated Firewall)
sudo ufw allow from <trusted_ip_range> to any port 3025
sudo ufw allow from <trusted_ip_range> to any port 3023
sudo ufw allow from <trusted_ip_range> to any port 3024
sudo ufw allow from any to any port 3080  # If web UI is publicly accessible

Role Definitions

Admin Role

# admin-role.yaml
kind: role
version: v4
metadata:
  name: admin
spec:
  options:
    max_session_ttl: 12h
    forward_agent: true
  allow:
    logins: ['root', 'webiste', 'ubuntu']
    node_labels:
      '*': '*'
    rules:
      - resources: ['*']
        verbs: ['*']

Developer Role

# developer-role.yaml
kind: role
version: v4
metadata:
  name: developer
spec:
  options:
    max_session_ttl: 8h
  allow:
    logins: ['developer']
    node_labels:
      environment: 'staging'
    rules:
      - resources: ['node']
        verbs: ['read', 'list', 'create']

Readonly Role

# readonly-role.yaml
kind: role
version: v4
metadata:
  name: readonly
spec:
  options:
    max_session_ttl: 4h
  allow:
    logins: ['viewer']
    node_labels:
      '*': '*'
    rules:
      - resources: ['session']
        verbs: ['read', 'list']
  deny:
    rules:
      - resources: ['ssh']
        verbs: ['update', 'delete', 'create']

Node Labeling

Node labels are key-value pairs assigned to nodes to categorize them. They are crucial for role-based access control.

Example Node Configuration

On each node, update the ssh_service section in /etc/teleport.yaml:

ssh_service:
  enabled: yes
  labels:
    environment: staging  # Change to production or testing as appropriate
    region: us-west

User Management

Creating Users

# Create a user with multiple roles
tctl users add alice --roles=developer,readonly

Modifying Users

# Update roles for an existing user
tctl users update alice --set-roles=admin

Deleting Users

# Delete a user
tctl users rm alice

Resetting MFA

# Reset MFA for a user
tctl auth sign --user=alice --mfa

Enforcing MFA

MFA is enforced via the second_factor setting in the authentication section:

authentication:
  type: local
  second_factor: on  # Options: off, otp, u2f, on (for any second factor)

Session Recording

Enable session recording in the ssh_service section:

ssh_service:
  enabled: yes
  recording:
    mode: node  # Records sessions at the node level

Session recordings are stored in /var/lib/teleport/log by default and are accessible via the Web UI under the “Sessions” tab.


Monitoring and Auditing

Monitoring Active Sessions

Use the Web UI or CLI to view active sessions:

tctl sessions ls

Viewing Audit Logs

Audit logs are stored in /var/lib/teleport/log. You can view them using standard log viewing tools:

less /var/lib/teleport/log/teleport.log

Periodic Role and User Auditing

List all users and their roles:

tctl users ls

List all roles:

tctl get roles

Review role definitions:

tctl get role <role-name> -o yaml

Security Best Practices

  • Regular Updates: Keep Teleport updated to the latest version.
  • Least Privilege: Assign the minimal required permissions to each role.
  • MFA Enforcement: Ensure MFA is always enabled (second_factor: on).
  • Audit Trails: Regularly review audit logs and session recordings.
  • Secure Authentication Tokens: Keep auth_token values secure and rotate them periodically.
  • Network Security: Use firewalls and security groups to restrict access to Teleport’s ports.
  • Backup Configuration: Regularly backup configuration files and important data directories.

Additional Suggestions

  • High Availability: Consider setting up Teleport in high availability mode with multiple auth servers.
  • External Authentication: Integrate with external identity providers (e.g., GitHub, SAML) for centralized authentication.
  • Custom CA Pins: Use custom certificate authorities for added security.
  • Periodic Training: Conduct regular training for users on security practices and how to use Teleport.
  • Automation: Use configuration management tools (like Puppet) to manage Teleport configurations across nodes.

Conclusion

By following this guide, you will have a secure and organized Teleport deployment that meets your requirements. Regularly review and update your configurations and practices to adapt to new security challenges and organizational needs.